Fixed potential exploit in the change pass page

shop.py

@@ -17,7 +17,7 @@ def createSession(res):
 
 def refreshSession(id):
     list_ids = db.get_list_ids(int(session["id"]))
-    print(list_ids)
+    # print(list_ids)
     session["list_ids"] = None
     session["list_ids"] = list_ids
     # print(session["list_ids"])
@@ -40,7 +40,7 @@ def index():
 
 @application.route('/post', methods=['POST'])
 def handle_data():
-    print(request.form)
+    # print(request.form)
     if "addValue" in request.form:
         for x in request.form:
             if request.form[x] == '':
@@ -69,9 +69,15 @@ def handle_data():
         db.add_user(userData)
         return redirect(url_for("admin"))
 
-    if "newpass" in request.form:
+    if "adminpass" in request.form:
         user_id = request.form['updatepass']
+        newpass = request.form['adminpass']
+        db.update_pass(user_id, newpass)
+        return redirect(url_for("admin"))
+
+    if "newpass" in request.form:
         newpass = request.form['newpass']
+        user_id = session["id"]
         db.update_pass(user_id, newpass)
         return redirect(url_for("index"))
 

templates/admin.html

@@ -18,7 +18,7 @@
                     <td>{% if x[1] == 1 %} Yes {% else %} No {% endif %}</td>
                     <td align="right">
                         <form action="/post" method="POST"><input style="width: 70%; display: inline;"
-                                class="form-control" type="text" name="newpass" id="addbox"><button
+                                class="form-control" type="text" name="adminpass" id="addbox"><button
                                 class="btn btn-secondary" type="submit" name="updatepass" value="{{x[2]}}"> Change
                                 Password </button></form>
                     </td>