From 4140287ce8ebd268c9889d2b0269a4812641b803 Mon Sep 17 00:00:00 2001
From: Renard
Date: Thu, 16 Jul 2020 13:18:19 -0400
Subject: Mod API

---
 cgi/modapi.py | 138 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 cgi/weabot.py |  10 ++++-
 2 files changed, 147 insertions(+), 1 deletion(-)
 create mode 100644 cgi/modapi.py

(limited to 'cgi')

diff --git a/cgi/modapi.py b/cgi/modapi.py
new file mode 100644
index 0000000..d80a689
--- /dev/null
+++ b/cgi/modapi.py
@@ -0,0 +1,138 @@
+# coding=utf-8
+import json
+import _mysql
+import time
+
+from framework import *
+from database import *
+from post import *
+
+
+def api(self, path_split):
+    validated = False
+
+    manage_cookie = getCookie(self, 'weabot_manage')
+    if manage_cookie:
+        staff_account = validateSession(manage_cookie)
+        if not staff_account:
+            self.output = api_error("error", "Session expired")
+            deleteCookie(self, 'weabot_manage')
+
+    if staff_account:
+        validated = True
+        if 'session_id' in staff_account:
+            renewSession(staff_account['session_id'])
+
+        UpdateDb('UPDATE `staff` SET `lastactive` = ' + str(timestamp()
+                                                            ) + ' WHERE `id` = ' + staff_account['id'] + ' LIMIT 1')
+
+    if len(path_split) > 2:
+        try:
+            if validated:
+                self.output = api_process(self, path_split)
+            else:
+                self.output = api_error("error", "No has iniciado sesión ")
+        except APIError, e:
+            self.output = api_error("error", e.message)
+        except UserError, e:
+            self.output = api_error("failed", e.message)
+        except Exception, e:
+            import sys
+            import traceback
+            exc_type, exc_value, exc_traceback = sys.exc_info()
+            detail = ["%s : %s : %s : %s" % (os.path.basename(
+                o[0]), o[1], o[2], o[3]) for o in traceback.extract_tb(exc_traceback)]
+
+            self.output = api_error("exception", str(e), str(type(e)), detail)
+    else:
+        self.output = api_error("error", "No method specified")
+
+
+def api_process(self, path_split):
+    formdata = self.formdata
+    ip = self.environ["REMOTE_ADDR"]
+    t = time.time()
+    method = path_split[2]
+    values = {'state': 'success'}
+
+    if method == 'news':
+        news = FetchAll(
+            "SELECT * FROM `news` WHERE type = 1 ORDER BY `timestamp` DESC")
+        values['news'] = news
+    else:
+        raise APIError, "Invalid method"
+
+    values['time'] = int(t)
+    return json.dumps(values, sort_keys=True, separators=(',', ':'))
+
+
+def api_error(errtype, msg, type=None, detail=None):
+    values = {'state': errtype, 'message': msg}
+
+    if type:
+        values['type'] = type
+    if detail:
+        values['detail'] = detail
+
+    return json.dumps(values)
+
+
+def newSession(staff_id):
+    import uuid
+    session_uuid = uuid.uuid4().hex
+
+    param_session_id = _mysql.escape_string(session_uuid)
+    param_expires = timestamp() + Settings.SESSION_TIME
+    param_staff_id = int(staff_id)
+
+    InsertDb("INSERT INTO `session` (`session_id`, `expires`, `staff_id`) VALUES (UNHEX('%s'), %d, %d)" %
+             (param_session_id, param_expires, param_staff_id))
+
+    return session_uuid
+
+
+def validateSession(session_id):
+    cleanSessions()
+
+    param_session_id = _mysql.escape_string(session_id)
+    param_now = timestamp()
+    session = FetchOne(
+        "SELECT HEX(session_id) as session_id, id, username, rights, added FROM `session` "
+        "INNER JOIN `staff` ON `session`.`staff_id` = `staff`.`id` "
+        "WHERE `session_id` = UNHEX('%s')" %
+        (param_session_id))
+
+    if session:
+        return session
+
+    return None
+
+
+def renewSession(session_id):
+    param_session_id = _mysql.escape_string(session_id)
+    param_expires = timestamp() + Settings.SESSION_TIME
+
+    UpdateDb("UPDATE `session` SET expires = %d WHERE session_id = UNHEX('%s')" %
+             (param_expires, param_session_id))
+
+
+def deleteSession(session_id):
+    param_session_id = _mysql.escape_string(session_id)
+
+    UpdateDb("DELETE FROM `session` WHERE session_id = UNHEX('%s')" %
+             param_session_id)
+
+
+def cleanSessions():
+    param_now = timestamp()
+
+    UpdateDb("DELETE FROM `session` WHERE expires <= %d" % param_now)
+
+
+def logAction(staff, action):
+    InsertDb("INSERT INTO `logs` (`timestamp`, `staff`, `action`) VALUES (" + str(timestamp()) +
+             ", '" + _mysql.escape_string(staff) + "\', \'" + _mysql.escape_string(action) + "\')")
+
+
+class APIError(Exception):
+    pass
diff --git a/cgi/weabot.py b/cgi/weabot.py
index 0f59654..ec88cac 100755
--- a/cgi/weabot.py
+++ b/cgi/weabot.py
@@ -324,7 +324,8 @@ class weabot(object):
             elif path_split[1] == "banned":
                 OpenDb()
                 packed_ip = self.environ["REMOTE_ADDR"]
-                bans = FetchAll("SELECT * FROM `bans` WHERE `ip` = INET6_ATON('"+str(packed_ip)+"')")
+                bans = FetchAll(
+                    "SELECT * FROM `bans` WHERE `ip` = INET6_ATON('"+str(packed_ip)+"')")
                 if bans:
                     for ban in bans:
                         if ban["boards"] != "":
@@ -377,6 +378,13 @@ class weabot(object):
                 except Exception, messagez:
                     self.output = "Error: " + \
                         str(messagez) + " : " + str(self.formdata)
+            elif path_split[1] == "mod":
+                import modapi
+                caught = True
+                self.headers = [("Content-Type", "application/json"), ("Access-Control-Allow-Origin", "*"), ("Access-Control-Allow-Methods",
+                                                                                                             "PUT, GET, POST, DELETE, OPTIONS"), ("Access-Control-Allow-Headers", "Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With")]
+                OpenDb()
+                modapi.api(self, path_split)
         if not caught:
             # Redirect the user back to the front page
             self.output += '<html xmlns="http://www.w3.org/1999/xhtml"><body><meta http-equiv="refresh" content="0;url=%s" /><p>--&gt; --&gt; --&gt;</p></body></html>' % Settings.HOME_URL
-- 
cgit v1.2.1-18-gbd029