From 6b094bc3f80a4269751baf3ec1a42829760e045e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Gr=C3=B6ger?= Date: Tue, 27 Oct 2020 14:37:39 +0100 Subject: [PATCH 1/2] Verbiete uploade der Config-Datei MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Außerdem private Startoption --- .gitignore | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.gitignore b/.gitignore index 71796df..8b76607 100644 --- a/.gitignore +++ b/.gitignore @@ -127,3 +127,9 @@ test_pricelist/ test_project/ config.yml geruecht.config.yml + +# config +flaschengeist/flaschengeist.cfg + +# start flaschengeist in pycharme professional +run_flaschengeist_pycharm.py From a0b8dbe36a3af0489b0983b16e1e3004404b4dc9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tim=20Gr=C3=B6ger?= Date: Wed, 28 Oct 2020 12:58:34 +0100 Subject: [PATCH 2/2] Fixed hidden attributes in auth and users --- flaschengeist/modules/auth/__init__.py | 8 ++++---- flaschengeist/modules/users/__init__.py | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/flaschengeist/modules/auth/__init__.py b/flaschengeist/modules/auth/__init__.py index 594bb01..1c3f036 100644 --- a/flaschengeist/modules/auth/__init__.py +++ b/flaschengeist/modules/auth/__init__.py @@ -76,7 +76,7 @@ def _get_sessions(access_token: Session, **kwargs): @login_required() def _delete_session(access_token, token, **kwargs): logger.debug("Try to delete access token {{ {} }}".format(token)) - token = sessionController.get_session(token, access_token.user) + token = sessionController.get_session(token, access_token._user) if not token: logger.debug("Token not found in database!") # Return 403 error, so that users can not bruteforce tokens @@ -91,7 +91,7 @@ def _delete_session(access_token, token, **kwargs): @login_required() def _get_session(token, access_token, **kwargs): logger.debug("get token {{ {} }}".format(token)) - session = sessionController.get_session(token, access_token.user) + session = sessionController.get_session(token, access_token._user) if not token: # Return 403 error, so that users can not bruteforce tokens # Valid tokens from other users and invalid tokens now are looking the same @@ -103,7 +103,7 @@ def _get_session(token, access_token, **kwargs): @login_required() def _get_assocd_user(token, access_token, **kwargs): logger.debug("get token {{ {} }}".format(token)) - session = sessionController.get_session(token, access_token.user) + session = sessionController.get_session(token, access_token._user) if not token: # Return 403 error, so that users can not bruteforce tokens # Valid tokens from other users and invalid tokens now are looking the same @@ -114,7 +114,7 @@ def _get_assocd_user(token, access_token, **kwargs): @auth_bp.route("/auth/", methods=["PUT"]) @login_required() def _set_lifetime(token, access_token, **kwargs): - token = sessionController.get_token(token, access_token.user) + token = sessionController.get_token(token, access_token._user) if not token: # Return 403 error, so that users can not bruteforce tokens # Valid tokens from other users and invalid tokens now are looking the same diff --git a/flaschengeist/modules/users/__init__.py b/flaschengeist/modules/users/__init__.py index f48cfe5..3f7cec5 100644 --- a/flaschengeist/modules/users/__init__.py +++ b/flaschengeist/modules/users/__init__.py @@ -62,7 +62,7 @@ def __delete_user(uid, **kwargs): @users_bp.route("/users/", methods=["PUT"]) @login_required() -def __edit_user(uid, **kwargs): +def __edit_user(uid, access_token ,**kwargs): logger.debug("Modify information of user {{ {} }}".format(uid)) user = userController.get_user(uid) data = request.get_json() @@ -70,7 +70,7 @@ def __edit_user(uid, **kwargs): password = None new_password = data["new_password"] if "new_password" in data else None - if uid != kwargs["access_token"].user.userid: + if uid != access_token._user.userid: if not user.has_permission(_permission_edit): return Forbidden else: