From cc4760e81c600153927d69f135a871a26c05d283 Mon Sep 17 00:00:00 2001 From: TOW Date: Wed, 3 Apr 2019 08:59:02 -0300 Subject: manage: Implementado uso de sesiones del lado del servidor (#4) --- cgi/manage.py | 120 +++++++++++++++++++++++++++++++++++++++------------------- 1 file changed, 81 insertions(+), 39 deletions(-) diff --git a/cgi/manage.py b/cgi/manage.py index 3df0f77..8a2c7e4 100644 --- a/cgi/manage.py +++ b/cgi/manage.py @@ -20,47 +20,43 @@ def manage(self, path_split): administrator = False moderator = True skiptemplate = False + staff_account = None - try: - if self.formdata['username'] and self.formdata['password']: - # If no admin accounts available, create admin:admin - first_admin = FetchOne("SELECT 1 FROM `staff` WHERE `rights` = 0 LIMIT 1", 0) - if not first_admin: - InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('admin', '" + _mysql.escape_string(genPasswd("admin")) + "', 0, 0)") + if 'username' in self.formdata and 'password' in self.formdata: + # If no admin accounts available, create admin:admin + first_admin = FetchOne("SELECT 1 FROM `staff` WHERE `rights` = 0 LIMIT 1", 0) + if not first_admin: + InsertDb("INSERT INTO `staff` (`username`, `password`, `added`, `rights`) VALUES ('admin', '" + _mysql.escape_string(genPasswd("admin")) + "', 0, 0)") - password = genPasswd(self.formdata['password']) - - valid_account = FetchOne("SELECT * FROM `staff` WHERE `username` = '" + _mysql.escape_string(self.formdata['username']) + "' AND `password` = '" + _mysql.escape_string(password) + "' LIMIT 1") - if valid_account: - setCookie(self, 'weabot_manage', self.formdata['username'] + ':' + valid_account['password'], domain='THIS') - UpdateDb('DELETE FROM `logs` WHERE `timestamp` < ' + str(timestamp() - 604800)) # one week - else: - page += _('Incorrect username/password.') - logAction('', 'Failed log-in. U:'+_mysql.escape_string(self.formdata['username'])+' IP:'+self.environ["REMOTE_ADDR"]) - except: - pass - - try: + password = genPasswd(self.formdata['password']) + + staff_account = FetchOne("SELECT * FROM `staff` WHERE `username` = '" + _mysql.escape_string(self.formdata['username']) + "' AND `password` = '" + _mysql.escape_string(password) + "' LIMIT 1") + if staff_account: + session_uuid = newSession(staff_account['id']) + setCookie(self, 'weabot_manage', session_uuid) + UpdateDb('DELETE FROM `logs` WHERE `timestamp` < ' + str(timestamp() - 604800)) # one week + else: + page += _('Incorrect username/password.') + logAction('', 'Failed log-in. U:'+_mysql.escape_string(self.formdata['username'])+' IP:'+self.environ["REMOTE_ADDR"]) + else: + # Validate existing session manage_cookie = getCookie(self, 'weabot_manage') - if manage_cookie != '': - username, password = manage_cookie.split(':') - staff_account = FetchOne("SELECT * FROM `staff` WHERE `username` = '" + _mysql.escape_string(username) + "' AND `password` = '" + _mysql.escape_string(password) + "' LIMIT 1") - if staff_account: - validated = True - if staff_account['rights'] == '0' or staff_account['rights'] == '1' or staff_account['rights'] == '2': - administrator = True - if staff_account['rights'] == '2': - moderator = False - UpdateDb('UPDATE `staff` SET `lastactive` = ' + str(timestamp()) + ' WHERE `id` = ' + staff_account['id'] + ' LIMIT 1') - except: - pass + if manage_cookie: + staff_account = validateSession(manage_cookie) + if not staff_account: + page += "La sesiĆ³n ha expirado. Por favor ingresa tus credenciales nuevamente." + deleteCookie(self, 'weabot_manage') - #validated = True - #moderator = True - #staff_account = {} - #staff_account['username'] = '' - #staff_account['rights'] = '0' - #staff_account['added'] = '0' + if staff_account: + validated = True + if 'session_id' in staff_account: + renewSession(staff_account['session_id']) + + if staff_account['rights'] in ['0', '1', '2']: + administrator = True + if staff_account['rights'] == '2': + moderator = False + UpdateDb('UPDATE `staff` SET `lastactive` = ' + str(timestamp()) + ' WHERE `id` = ' + staff_account['id'] + ' LIMIT 1') if not validated: template_filename = "login.html" @@ -1462,8 +1458,8 @@ def manage(self, path_split): template_values = {'logs': logs} elif path_split[2] == 'logout': message = _('Logging out...') + '' - setCookie(self, 'weabot_manage', '', domain='THIS') - setCookie(self, 'weabot_staff', '') + deleteCookie(self, 'weabot_manage') + deleteSession(staff_account['session_id']) template_filename = "message.html" elif path_split[2] == 'quotes': # Quotes for the post screen @@ -1852,6 +1848,52 @@ def switchBoard(new_type): # Clean res dir cleanDir(res_dir, ext="html") +def newSession(staff_id): + import uuid + session_uuid = uuid.uuid4().hex + + param_session_id = _mysql.escape_string(session_uuid) + param_expires = timestamp() + Settings.SESSION_TIME + param_staff_id = int(staff_id) + + InsertDb("INSERT INTO `session` (`session_id`, `expires`, `staff_id`) VALUES (UNHEX('%s'), %d, %d)" % + (param_session_id, param_expires, param_staff_id)) + + return session_uuid + +def validateSession(session_id): + cleanSessions() + + param_session_id = _mysql.escape_string(session_id) + param_now = timestamp() + session = FetchOne( + "SELECT HEX(session_id) as session_id, id, username, rights, added FROM `session` " + "INNER JOIN `staff` ON `session`.`staff_id` = `staff`.`id` " + "WHERE `session_id` = UNHEX('%s')" % + (param_session_id)) + + if session: + return session + + return None + +def renewSession(session_id): + param_session_id = _mysql.escape_string(session_id) + param_expires = timestamp() + Settings.SESSION_TIME + + UpdateDb("UPDATE `session` SET expires = %d WHERE session_id = UNHEX('%s')" % + (param_expires, param_session_id)) + +def deleteSession(session_id): + param_session_id = _mysql.escape_string(session_id) + + UpdateDb("DELETE FROM `session` WHERE session_id = UNHEX('%s')" % param_session_id) + +def cleanSessions(): + param_now = timestamp() + + UpdateDb("DELETE FROM `session` WHERE expires <= %d" % param_now) + def logAction(staff, action): InsertDb("INSERT INTO `logs` (`timestamp`, `staff`, `action`) VALUES (" + str(timestamp()) + ", '" + _mysql.escape_string(staff) + "\', \'" + _mysql.escape_string(action) + "\')") -- cgit v1.2.1-18-gbd029