Items can only be removed by the requester

2020-01-29 14:10:27 +11:00 · 2020-01-29 14:10:27 +11:00 · b98750e169
commit b98750e169
parent 58fa1d5b22
3 changed files with 15 additions and 3 deletions
--- a/shop.py
+++ b/shop.py
@ -71,7 +71,7 @@ def unGetItem(rowID):
 def get_users(username=None):
    if username == None:
        #return all users
-        query = "select username, admin from USERS"
+        query = "select username, admin, id from USERS"
        return runQuery(query)
    query = f"select username, admin from USERS where username like '{username}'"
    return runQuery(query)
@ -82,6 +82,10 @@ def add_user(userData):
    query = f"insert into USERS (username, password, admin) values ('{username}', md5('{password}'), False)"
    runQuery(query)

+def update_pass(user_id, newpass):
+    query = f"update USERS set password=md5('{newpass}') where id={user_id}"
+    runQuery(query)
+
 app = Flask(__name__)
 app.config["DEBUG"] = True
 app.secret_key = b'*$#@U9423jr92jioJKL_)_;dasfj()12'
@ -134,6 +138,12 @@ def handle_data():
        add_user(userData)
        return redirect(url_for("admin"))

+    if "newpass" in request.form:
+        user_id = request.form['updatepass']
+        newpass = request.form['newpass']
+        update_pass(user_id, newpass)
+        return redirect(url_for("admin"))
+
    if "logout" in request.form:
        session.clear()
    return redirect(url_for('index'))
--- a/templates/admin.html
+++ b/templates/admin.html
@ -8,7 +8,7 @@
                <tr>
                    <th scope="col">Username</th>
                    <th scope="col">Admin</th>
-                    <th scope="col">Change Password</th>
+                    <th style="text-align: right" scope="col">Change Password</th>
                </tr>
            </thead>
            <tbody>
@ -16,7 +16,7 @@
                <tr scope="row">
                    <td>{{x[0]}}</td>
                    <td>{% if x[1] == 1 %} Yes {% else %} No {% endif %}</td>
-                    <td> Implement later </td>
+                    <td align="right"><form action="/post" method="POST"><input style="width: 70%; display: inline;" class="form-control" type="text" name="newpass" id="addbox"><button class="btn btn-secondary" type="submit" name="updatepass" value="{{x[2]}}"> Change Password </button></form></td>
                </tr>
                {% endfor %}
            </tbody>
--- a/templates/list.html
+++ b/templates/list.html
@ -21,8 +21,10 @@
        {% endif %}</td>
      <td>
        <form>
+          {% if data["username"] == x[3] %}
          <button class="btn btn-secondary" type="submit" formaction="/post" formmethod="POST" name="rem"
            value="{{x[0]}}">Remove</button>
+          {% endif %}
        </form>
      </td>
    </tr>