Added in a admin page and auth checks

2020-01-29 11:53:53 +11:00 · 2020-01-29 11:53:53 +11:00 · 40242afa36
commit 40242afa36
parent 853089f3b5
5 changed files with 168 additions and 54 deletions
--- a/shop.py
+++ b/shop.py
@ -1,4 +1,4 @@
-from flask import Flask, render_template, make_response, request, redirect, url_for, session
+from flask import Flask, render_template, make_response, request, redirect, url_for, session, abort
 from pprint import pprint
 import mysql.connector
 import configparser
@ -37,7 +37,7 @@ def runQuery(query):
    mydb = dbConnect()
    c = mydb.cursor()
    c.execute(query)
-    if "select" in query.lower():
+    if query.lower().startswith("select"):
        ret = c.fetchall()
    else:
        ret = []
@ -66,7 +66,20 @@ def getItem(rowID):

 def unGetItem(rowID):
    query = f"UPDATE SHOPLIST set gotten = 0 where id = {rowID}"
+    runQuery(query)

+def get_users(username=None):
+    if username == None:
+        #return all users
+        query = "select username, admin from USERS"
+        return runQuery(query)
+    query = f"select username, admin from USERS where username like '{username}'"
+    return runQuery(query)
+
+def add_user(userData):
+    username = userData["username"]
+    password = userData["password"]
+    query = f"insert into USERS (username, password, admin) values ('{username}', md5('{password}'), False)"
    runQuery(query)

 app = Flask(__name__)
@ -80,7 +93,7 @@ def index():
        return render_template("auth.html", data=data)

    query = readFromDB()
-    data = {"title":"Shopping List", "results":query}
+    data = {"title": "Shopping List", "results": query, "username": session["username"]}
    for device in MOBILES:
        if device in request.user_agent.platform:
            return render_template('mobile.html', data=data)
@ -103,17 +116,42 @@ def handle_data():
        unGetItem(request.form["ungot"])
        
    if "loginform" in request.form:
-        query = "select id, username from USERS where username = '%s' and password = md5('%s')" % (request.form["username"].lower(), request.form["password"])
+        query = "select id, username, admin from USERS where username = '%s' and password = md5('%s')" % (request.form["username"].lower(), request.form["password"])

        res = runQuery(query)
        if len(res) != 0:
            session["id"] = res[0][0]
            session["username"] = res[0][1]
+            session["isAdmin"] = res[0][2]
+
+    if "newuser" in request.form:
+        #first check if the user exists
+        usrCheck = get_users(request.form["username"])
+        print(usrCheck)
+        if len(usrCheck) != 0:
+            return "Username Exists"
+        userData = {"username": request.form["username"], "password": request.form["password"]}
+        add_user(userData)
+        return redirect(url_for("admin"))

    if "logout" in request.form:
        session.clear()
    return redirect(url_for('index'))

+@app.route("/admin")
+def admin():
+    if session.get('id') is None:
+        data = {"title":"Login"}
+        return render_template("auth.html", data=data)
+    elif session.get('isAdmin') == 0:
+        return redirect(url_for("index"))
+
+    #get a list of users
+    userList = get_users()
+    data = {"users": userList}
+
+    return render_template("admin.html", data=data)
+
 if __name__ == '__main__':
    doesTableExist()
    app.run(host="0.0.0.0")
--- a/static/css/main.css
+++ b/static/css/main.css
@ -37,5 +37,6 @@ aside {

 body {
    background-color: #2a2a2a;
+    color: azure;
 }

--- a/templates/admin.html
+++ b/templates/admin.html
@ -0,0 +1,61 @@
+{% include "header.html" %}
+
+<body>
+    <h1 class="text-center">LIST USERS</h1>
+    <div class="container">
+        <table class="table table-striped table-dark table-hover">
+            <thead>
+                <tr>
+                    <th scope="col">Username</th>
+                    <th scope="col">Admin</th>
+                    <th scope="col">Change Password</th>
+                </tr>
+            </thead>
+            <tbody>
+                {% for x in data["users"] %}
+                <tr scope="row">
+                    <td>{{x[0]}}</td>
+                    <td>{% if x[1] == 1 %} Yes {% else %} No {% endif %}</td>
+                    <td> Implement later </td>
+                </tr>
+                {% endfor %}
+            </tbody>
+        </table>
+    </div>
+    <hr>
+    <h1 class="text-center">ADD NEW USERS</h1>
+    <div class="container">
+        <form class="loginform"  action="/post" method="POST">
+            <div class="form-group row">
+                <label for="addbox" class="col-sm-2 col-form-label" >Username</label>
+                <div class="col-sm-10">
+                    <input type=text class="form-control" id="addbox" type="text" name="username" />
+                </div>
+            </div>
+            <div class="form-group row">
+                <label for="addbox" class="col-sm-2 col-form-label" >Password</label>
+                    <div class="col-sm-10">
+                        <input class="form-control" id="addbox" type="password" name="password"/>
+                    </div>
+                    <div class="form-group" style="padding-top: 10px; padding-left: 10px;">
+                        <input class="btn btn-secondary" id="logbtn" type="submit" name="newuser" value="Create new account" />
+                    </div>
+            </div>
+        </form>
+        <div id="logout" style="padding-top: 3px;">
+            <a href="/">
+                <button onclick="window.location='admin'" class="btn btn-secondary"><i style="padding-top: 3px;"
+                        class="material-icons">
+                        home
+                    </i></button></a>
+        </div>
+    </div>
+    <!-- jQuery library -->
+    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
+    <!-- Popper JS -->
+    <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.16.0/umd/popper.min.js"></script>
+    <!-- Latest compiled JavaScript -->
+    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js"></script>
+</body>
+
+</html>
--- a/templates/index.html
+++ b/templates/index.html
@ -1,6 +1,7 @@
 {% include "header.html" %}
+
 <body>
-        <h1 class="container" style="text-align: center">{{ data["title"] }}</h1>
+    <h1 class="container" style="text-align: center">{{ data["title"] }}, {{data["username"].title()}}</h1>
    <!-- <aside> -->
    <div id="addForm">
        {% include "addForm.html" %}
@ -12,10 +13,18 @@
    </div>
    <div id="logout">
        <form action="/post" method="POST">
-                <button  type="submit" name="logout" class="btn btn-secondary"><i style="padding-top: 3px;" class="material-icons">
+            <button type="submit" name="logout" class="btn btn-secondary"><i style="padding-top: 3px;"
+                    class="material-icons">
                    exit_to_app
                </i></button>
        </form>
+        <div style="padding-top: 3px;">
+            <a href="admin">
+                <button onclick="window.location='admin'" class="btn btn-secondary"><i style="padding-top: 3px;"
+                        class="material-icons">
+                        vpn_key
+                    </i></button></a>
+        </div>
    </div>
    <!-- jQuery library -->
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js"></script>
@ -26,4 +35,5 @@
    <!-- Latest compiled JavaScript -->
    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.4.1/js/bootstrap.min.js"></script>
 </body>
+
 </html>
--- a/templates/list.html
+++ b/templates/list.html
@ -6,19 +6,23 @@
      <th scope="col">Gottem?</th>
      <th scope="col">Remove</th>
    </tr>
-{% for x in data["results"] %}
+  </thead>
  <tbody>
+    {% for x in data["results"] %}
    <tr scope="row" id="row-{{x[0]}}">
      <td>{{x[1]}}</td>
      <td>{{x[3].title()}}</td>
-
      <td> {% if x[2] == 0 %}
-        <form><button class="btn btn-secondary" type="submit" formaction="/post" formmethod="POST" name="got" value="{{x[0]}}">No</button></form>
+        <form><button class="btn btn-secondary" type="submit" formaction="/post" formmethod="POST" name="got"
+            value="{{x[0]}}">No</button></form>
        {% else %}
-     <form><button class="btn btn-secondary" type="submit" formaction="/post" formmethod="POST" name="ungot" value="{{x[0]}}">Yes</button></form>
+        <form><button class="btn btn-secondary" type="submit" formaction="/post" formmethod="POST" name="ungot"
+            value="{{x[0]}}">Yes</button></form>
        {% endif %}</td>
-<td><form>
-<button class="btn btn-secondary" type="submit" formaction="/post" formmethod="POST" name="rem" value="{{x[0]}}">Remove</button>
+      <td>
+        <form>
+          <button class="btn btn-secondary" type="submit" formaction="/post" formmethod="POST" name="rem"
+            value="{{x[0]}}">Remove</button>
        </form>
      </td>
    </tr>