aboutsummaryrefslogtreecommitdiff
path: root/cgi
diff options
context:
space:
mode:
Diffstat (limited to 'cgi')
-rw-r--r--cgi/manage.py120
1 files changed, 81 insertions, 39 deletions
diff --git a/cgi/manage.py b/cgi/manage.py
index 3df0f77..8a2c7e4 100644
--- a/cgi/manage.py
+++ b/cgi/manage.py
@@ -20,47 +20,43 @@ def manage(self, path_split):
administrator = False
moderator = True
skiptemplate = False
+ staff_account = None
- try:
- if self.formdata['username'] and self.formdata['password']:
- # If no admin accounts available, create admin:admin
- first_admin = FetchOne("SELECT 1 FROM `staff` WHERE `rights` = 0 LIMIT 1", 0)
- if not first_admin:
- InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('admin', '" + _mysql.escape_string(genPasswd("admin")) + "', 0, 0)")
+ if 'username' in self.formdata and 'password' in self.formdata:
+ # If no admin accounts available, create admin:admin
+ first_admin = FetchOne("SELECT 1 FROM `staff` WHERE `rights` = 0 LIMIT 1", 0)
+ if not first_admin:
+ InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('admin', '" + _mysql.escape_string(genPasswd("admin")) + "', 0, 0)")
- password = genPasswd(self.formdata['password'])
-
- valid_account = FetchOne("SELECT * FROM `staff` WHERE `username` = '" + _mysql.escape_string(self.formdata['username']) + "' AND `password` = '" + _mysql.escape_string(password) + "' LIMIT 1")
- if valid_account:
- setCookie(self, 'weabot_manage', self.formdata['username'] + ':' + valid_account['password'], domain='THIS')
- UpdateDb('DELETE FROM `logs` WHERE `timestamp` < ' + str(timestamp() - 604800)) # one week
- else:
- page += _('Incorrect username/password.')
- logAction('', 'Failed log-in. U:'+_mysql.escape_string(self.formdata['username'])+' IP:'+self.environ["REMOTE_ADDR"])
- except:
- pass
-
- try:
+ password = genPasswd(self.formdata['password'])
+
+ staff_account = FetchOne("SELECT * FROM `staff` WHERE `username` = '" + _mysql.escape_string(self.formdata['username']) + "' AND `password` = '" + _mysql.escape_string(password) + "' LIMIT 1")
+ if staff_account:
+ session_uuid = newSession(staff_account['id'])
+ setCookie(self, 'weabot_manage', session_uuid)
+ UpdateDb('DELETE FROM `logs` WHERE `timestamp` < ' + str(timestamp() - 604800)) # one week
+ else:
+ page += _('Incorrect username/password.')
+ logAction('', 'Failed log-in. U:'+_mysql.escape_string(self.formdata['username'])+' IP:'+self.environ["REMOTE_ADDR"])
+ else:
+ # Validate existing session
manage_cookie = getCookie(self, 'weabot_manage')
- if manage_cookie != '':
- username, password = manage_cookie.split(':')
- staff_account = FetchOne("SELECT * FROM `staff` WHERE `username` = '" + _mysql.escape_string(username) + "' AND `password` = '" + _mysql.escape_string(password) + "' LIMIT 1")
- if staff_account:
- validated = True
- if staff_account['rights'] == '0' or staff_account['rights'] == '1' or staff_account['rights'] == '2':
- administrator = True
- if staff_account['rights'] == '2':
- moderator = False
- UpdateDb('UPDATE `staff` SET `lastactive` = ' + str(timestamp()) + ' WHERE `id` = ' + staff_account['id'] + ' LIMIT 1')
- except:
- pass
+ if manage_cookie:
+ staff_account = validateSession(manage_cookie)
+ if not staff_account:
+ page += "La sesiĆ³n ha expirado. Por favor ingresa tus credenciales nuevamente."
+ deleteCookie(self, 'weabot_manage')
- #validated = True
- #moderator = True
- #staff_account = {}
- #staff_account['username'] = ''
- #staff_account['rights'] = '0'
- #staff_account['added'] = '0'
+ if staff_account:
+ validated = True
+ if 'session_id' in staff_account:
+ renewSession(staff_account['session_id'])
+
+ if staff_account['rights'] in ['0', '1', '2']:
+ administrator = True
+ if staff_account['rights'] == '2':
+ moderator = False
+ UpdateDb('UPDATE `staff` SET `lastactive` = ' + str(timestamp()) + ' WHERE `id` = ' + staff_account['id'] + ' LIMIT 1')
if not validated:
template_filename = "login.html"
@@ -1462,8 +1458,8 @@ def manage(self, path_split):
template_values = {'logs': logs}
elif path_split[2] == 'logout':
message = _('Logging out...') + '<meta http-equiv="refresh" content="0;url=' + Settings.CGI_URL + 'manage" />'
- setCookie(self, 'weabot_manage', '', domain='THIS')
- setCookie(self, 'weabot_staff', '')
+ deleteCookie(self, 'weabot_manage')
+ deleteSession(staff_account['session_id'])
template_filename = "message.html"
elif path_split[2] == 'quotes':
# Quotes for the post screen
@@ -1852,6 +1848,52 @@ def switchBoard(new_type):
# Clean res dir
cleanDir(res_dir, ext="html")
+def newSession(staff_id):
+ import uuid
+ session_uuid = uuid.uuid4().hex
+
+ param_session_id = _mysql.escape_string(session_uuid)
+ param_expires = timestamp() + Settings.SESSION_TIME
+ param_staff_id = int(staff_id)
+
+ InsertDb("INSERT INTO `session` (`session_id`, `expires`, `staff_id`) VALUES (UNHEX('%s'), %d, %d)" %
+ (param_session_id, param_expires, param_staff_id))
+
+ return session_uuid
+
+def validateSession(session_id):
+ cleanSessions()
+
+ param_session_id = _mysql.escape_string(session_id)
+ param_now = timestamp()
+ session = FetchOne(
+ "SELECT HEX(session_id) as session_id, id, username, rights, added FROM `session` "
+ "INNER JOIN `staff` ON `session`.`staff_id` = `staff`.`id` "
+ "WHERE `session_id` = UNHEX('%s')" %
+ (param_session_id))
+
+ if session:
+ return session
+
+ return None
+
+def renewSession(session_id):
+ param_session_id = _mysql.escape_string(session_id)
+ param_expires = timestamp() + Settings.SESSION_TIME
+
+ UpdateDb("UPDATE `session` SET expires = %d WHERE session_id = UNHEX('%s')" %
+ (param_expires, param_session_id))
+
+def deleteSession(session_id):
+ param_session_id = _mysql.escape_string(session_id)
+
+ UpdateDb("DELETE FROM `session` WHERE session_id = UNHEX('%s')" % param_session_id)
+
+def cleanSessions():
+ param_now = timestamp()
+
+ UpdateDb("DELETE FROM `session` WHERE expires <= %d" % param_now)
+
def logAction(staff, action):
InsertDb("INSERT INTO `logs` (`timestamp`, `staff`, `action`) VALUES (" + str(timestamp()) + ", '" + _mysql.escape_string(staff) + "\', \'" + _mysql.escape_string(action) + "\')")