From 40242afa36f2bd6edc901a41ace04dfb880ea33f Mon Sep 17 00:00:00 2001
From: Benjamyn Love <me@benjamyn.love>
Date: Wed, 29 Jan 2020 11:53:53 +1100
Subject: [PATCH] Added in a admin page and auth checks

---
 shop.py              | 48 ++++++++++++++++++++++++++++++----
 static/css/main.css  |  1 +
 templates/admin.html | 61 ++++++++++++++++++++++++++++++++++++++++++++
 templates/index.html | 58 ++++++++++++++++++++++++-----------------
 templates/list.html  | 54 +++++++++++++++++++++------------------
 5 files changed, 168 insertions(+), 54 deletions(-)
 create mode 100644 templates/admin.html

diff --git a/shop.py b/shop.py
index 6e5ea13..e02125c 100644
--- a/shop.py
+++ b/shop.py
@@ -1,4 +1,4 @@
-from flask import Flask, render_template, make_response, request, redirect, url_for, session
+from flask import Flask, render_template, make_response, request, redirect, url_for, session, abort
 from pprint import pprint
 import mysql.connector
 import configparser
@@ -37,7 +37,7 @@ def runQuery(query):
     mydb = dbConnect()
     c = mydb.cursor()
     c.execute(query)
-    if "select" in query.lower():
+    if query.lower().startswith("select"):
         ret = c.fetchall()
     else:
         ret = []
@@ -66,7 +66,20 @@ def getItem(rowID):
 
 def unGetItem(rowID):
     query = f"UPDATE SHOPLIST set gotten = 0 where id = {rowID}"
-    
+    runQuery(query)
+
+def get_users(username=None):
+    if username == None:
+        #return all users
+        query = "select username, admin from USERS"
+        return runQuery(query)
+    query = f"select username, admin from USERS where username like '{username}'"
+    return runQuery(query)
+
+def add_user(userData):
+    username = userData["username"]
+    password = userData["password"]
+    query = f"insert into USERS (username, password, admin) values ('{username}', md5('{password}'), False)"
     runQuery(query)
 
 app = Flask(__name__)
@@ -80,7 +93,7 @@ def index():
         return render_template("auth.html", data=data)
 
     query = readFromDB()
-    data = {"title":"Shopping List", "results":query}
+    data = {"title": "Shopping List", "results": query, "username": session["username"]}
     for device in MOBILES:
         if device in request.user_agent.platform:
             return render_template('mobile.html', data=data)
@@ -103,17 +116,42 @@ def handle_data():
         unGetItem(request.form["ungot"])
         
     if "loginform" in request.form:
-        query = "select id, username from USERS where username = '%s' and password = md5('%s')" % (request.form["username"].lower(), request.form["password"])
+        query = "select id, username, admin from USERS where username = '%s' and password = md5('%s')" % (request.form["username"].lower(), request.form["password"])
 
         res = runQuery(query)
         if len(res) != 0:
             session["id"] = res[0][0]
             session["username"] = res[0][1]
+            session["isAdmin"] = res[0][2]
+
+    if "newuser" in request.form:
+        #first check if the user exists
+        usrCheck = get_users(request.form["username"])
+        print(usrCheck)
+        if len(usrCheck) != 0:
+            return "Username Exists"
+        userData = {"username": request.form["username"], "password": request.form["password"]}
+        add_user(userData)
+        return redirect(url_for("admin"))
 
     if "logout" in request.form:
         session.clear()
     return redirect(url_for('index'))
 
+@app.route("/admin")
+def admin():
+    if session.get('id') is None:
+        data = {"title":"Login"}
+        return render_template("auth.html", data=data)
+    elif session.get('isAdmin') == 0:
+        return redirect(url_for("index"))
+
+    #get a list of users
+    userList = get_users()
+    data = {"users": userList}
+
+    return render_template("admin.html", data=data)
+
 if __name__ == '__main__':
     doesTableExist()
     app.run(host="0.0.0.0")
diff --git a/static/css/main.css b/static/css/main.css
index 2ba0dc2..1d7960c 100644
--- a/static/css/main.css
+++ b/static/css/main.css
@@ -37,5 +37,6 @@ aside {
 
 body {
     background-color: #2a2a2a;
+    color: azure;
 }
 
diff --git a/templates/admin.html b/templates/admin.html
new file mode 100644
index 0000000..0538cc8
--- /dev/null
+++ b/templates/admin.html
@@ -0,0 +1,61 @@
+{% include "header.html" %}
+
+<body>
+    <h1 class="text-center">LIST USERS</h1>
+    <div class="container">
+        <table class="table table-striped table-dark table-hover">
+            <thead>
+                <tr>
+                    <th scope="col">Username</th>
+                    <th scope="col">Admin</th>
+                    <th scope="col">Change Password</th>
+                </tr>
+            </thead>
+            <tbody>
+                {% for x in data["users"] %}
+                <tr scope="row">
+                    <td>{{x[0]}}</td>
+                    <td>{% if x[1] == 1 %} Yes {% else %} No {% endif %}</td>
+                    <td> Implement later </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+    </div>
+    <hr>
+    <h1 class="text-center">ADD NEW USERS</h1>
+    <div class="container">
+        <form class="loginform"  action="/post" method="POST">
+            <div class="form-group row">
+                <label for="addbox" class="col-sm-2 col-form-label" >Username</label>
+                <div class="col-sm-10">
+                    <input type=text class="form-control" id="addbox" type="text" name="username" />
+                </div>
+            </div>
+            <div class="form-group row">
+                <label for="addbox" class="col-sm-2 col-form-label" >Password</label>
+                    <div class="col-sm-10">
+                        <input class="form-control" id="addbox" type="password" name="password"/>
+                    </div>
+                    <div class="form-group" style="padding-top: 10px; padding-left: 10px;">
+                        <input class="btn btn-secondary" id="logbtn" type="submit" name="newuser" value="Create new account" />
+                    </div>
+            </div>
+        </form>
+        <div id="logout" style="padding-top: 3px;">
+            <a href="/">
+                <button onclick="window.location='admin'" class="btn btn-secondary"><i style="padding-top: 3px;"
+                        class="material-icons">
+                        home
+                    </i></button></a>
+        </div>
+    </div>
+    <!-- jQuery library -->
+    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
+    <!-- Popper JS -->
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.16.0/umd/popper.min.js"></script>
+    <!-- Latest compiled JavaScript -->
+    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js"></script>
+</body>
+
+</html>
\ No newline at end of file
diff --git a/templates/index.html b/templates/index.html
index 4c7316e..168924b 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -1,29 +1,39 @@
 {% include "header.html" %}
-    <body>
-        <h1 class="container" style="text-align: center">{{ data["title"] }}</h1>
-        <!-- <aside> -->
-        <div id="addForm">
-            {% include "addForm.html" %}
+
+<body>
+    <h1 class="container" style="text-align: center">{{ data["title"] }}, {{data["username"].title()}}</h1>
+    <!-- <aside> -->
+    <div id="addForm">
+        {% include "addForm.html" %}
+    </div>
+    </div>
+    <!-- </aside> -->
+    <div class="container">
+        {% include "list.html" %}
+    </div>
+    <div id="logout">
+        <form action="/post" method="POST">
+            <button type="submit" name="logout" class="btn btn-secondary"><i style="padding-top: 3px;"
+                    class="material-icons">
+                    exit_to_app
+                </i></button>
+        </form>
+        <div style="padding-top: 3px;">
+            <a href="admin">
+                <button onclick="window.location='admin'" class="btn btn-secondary"><i style="padding-top: 3px;"
+                        class="material-icons">
+                        vpn_key
+                    </i></button></a>
         </div>
     </div>
-        <!-- </aside> -->
-        <div class="container" >
-            {% include "list.html" %}
-        </div>
-        <div id="logout">
-            <form action="/post" method="POST">
-                <button  type="submit" name="logout" class="btn btn-secondary"><i style="padding-top: 3px;" class="material-icons">
-                    exit_to_app
-                    </i></button>
-            </form>
-        </div>
-        <!-- jQuery library -->
-        <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
+    <!-- jQuery library -->
+    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
 
-        <!-- Popper JS -->
-        <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.16.0/umd/popper.min.js"></script>
+    <!-- Popper JS -->
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.16.0/umd/popper.min.js"></script>
 
-        <!-- Latest compiled JavaScript -->
-        <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js"></script> 
-    </body>
-</html>
+    <!-- Latest compiled JavaScript -->
+    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js"></script>
+</body>
+
+</html>
\ No newline at end of file
diff --git a/templates/list.html b/templates/list.html
index 1c71d82..abc93ec 100644
--- a/templates/list.html
+++ b/templates/list.html
@@ -1,27 +1,31 @@
 <table class="table table-striped table-dark table-hover">
-    <thead class="">
-            <tr>
-              <th scope="col">Item</th>
-              <th scope="col">Requester</th>
-              <th scope="col">Gottem?</th>
-              <th scope="col">Remove</th>
-            </tr>
-{% for x in data["results"] %}
-<tbody>
-<tr scope="row" id="row-{{x[0]}}">
-<td>{{x[1]}}</td>
-<td>{{x[3].title()}}</td>
-
-<td> {% if x[2] == 0 %}
-        <form><button class="btn btn-secondary" type="submit" formaction="/post" formmethod="POST" name="got" value="{{x[0]}}">No</button></form>
-     {% else %}
-     <form><button class="btn btn-secondary" type="submit" formaction="/post" formmethod="POST" name="ungot" value="{{x[0]}}">Yes</button></form>
-     {% endif %}</td>
-<td><form>
-<button class="btn btn-secondary" type="submit" formaction="/post" formmethod="POST" name="rem" value="{{x[0]}}">Remove</button>
-</form>
-</td>
-</tr>
-{% endfor %}
-</tbody>
+  <thead class="">
+    <tr>
+      <th scope="col">Item</th>
+      <th scope="col">Requester</th>
+      <th scope="col">Gottem?</th>
+      <th scope="col">Remove</th>
+    </tr>
+  </thead>
+  <tbody>
+    {% for x in data["results"] %}
+    <tr scope="row" id="row-{{x[0]}}">
+      <td>{{x[1]}}</td>
+      <td>{{x[3].title()}}</td>
+      <td> {% if x[2] == 0 %}
+        <form><button class="btn btn-secondary" type="submit" formaction="/post" formmethod="POST" name="got"
+            value="{{x[0]}}">No</button></form>
+        {% else %}
+        <form><button class="btn btn-secondary" type="submit" formaction="/post" formmethod="POST" name="ungot"
+            value="{{x[0]}}">Yes</button></form>
+        {% endif %}</td>
+      <td>
+        <form>
+          <button class="btn btn-secondary" type="submit" formaction="/post" formmethod="POST" name="rem"
+            value="{{x[0]}}">Remove</button>
+        </form>
+      </td>
+    </tr>
+    {% endfor %}
+  </tbody>
 </table>
\ No newline at end of file