From 449540024f0e3929bfb0d477f3a12ec5ee0dca79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaakko=20Kera=CC=88nen?= Date: Fri, 27 Oct 2023 06:42:42 +0300 Subject: [PATCH 1/1] Require tokens for posting and changing profile --- feeds.py | 15 ++++++++++----- model.py | 16 ++++++++++------ settings.py | 14 ++++++++------ 3 files changed, 28 insertions(+), 17 deletions(-) diff --git a/feeds.py b/feeds.py index ddaf87a..06e92c3 100644 --- a/feeds.py +++ b/feeds.py @@ -101,6 +101,8 @@ def make_post_page_or_configure_feed(session): if session.user.role == User.LIMITED and (not session.c_user or not session.c_user.id != session.user.id): return 61, "Not authorized" + if session.user.role == User.LIMITED and not db.verify_token(session.user, arg2): + return 61, "Expired" draft_id = db.create_post(session.user, session.context.id) return 30, '/edit/%d' % draft_id @@ -113,6 +115,8 @@ def make_post_page_or_configure_feed(session): return 61, "Subspace is locked" if session.user.role == User.LIMITED and not session.c_user: return 61, "Not authorized" + if session.user.role == User.LIMITED and not db.verify_token(session.user, arg2): + return 61, "Expired" if session.is_gemini: if is_empty_query(req): @@ -625,11 +629,12 @@ def make_feed_page(session): page += f'=> /s/ {session.bubble.site_icon} Subspaces\n' page += session.FOOTER_MENU else: + token = session.get_token() page += session.dashboard_link() if not session.is_context_locked: if c_user and c_user.id == user.id: - page += f'=> /u/{user.name}/post 💬 New post\n' - page += f'=> /u/{user.name}/compose ✏️ Compose draft\n' + page += f'=> /u/{user.name}/post/{token} 💬 New post\n' + page += f'=> /u/{user.name}/compose/{token} ✏️ Compose draft\n' elif context and context.owner == 0: if is_issue_tracker: if session.user.role != User.LIMITED: @@ -637,10 +642,10 @@ def make_feed_page(session): else: if session.user.role != User.LIMITED: page += f'=> /{context.title()}/post 💬 New post in s/{context.name}\n' - page += f'=> /{context.title()}/compose ✏️ Compose draft in s/{context.name}\n' + page += f'=> /{context.title()}/compose/{token} ✏️ Compose draft in s/{context.name}\n' else: - page += f'=> /u/{user.name}/post 💬 New post in u/{user.name}\n' - page += f'=> /u/{user.name}/compose ✏️ Compose draft in u/{user.name}\n' + page += f'=> /u/{user.name}/post/{token} 💬 New post in u/{user.name}\n' + page += f'=> /u/{user.name}/compose/{token} ✏️ Compose draft in u/{user.name}\n' page += f'=> /s/ {session.bubble.site_icon} Subspaces\n' if is_issue_tracker: diff --git a/model.py b/model.py index 84f6e2d..9641585 100644 --- a/model.py +++ b/model.py @@ -2262,7 +2262,16 @@ class Database: [chr(ord('A') + i) for i in range(26)] + \ [chr(ord('0') + i) for i in range(10)] + def expire_tokens(self): + cur = self.conn.cursor() + cur.execute(""" + DELETE FROM tokens + WHERE TIMESTAMPDIFF(MINUTE, ts, CURRENT_TIMESTAMP())>=60 + """) + self.commit() + def get_token(self, user: User): + self.expire_tokens() # Reuse a valid token within 5 minutes. cur = self.conn.cursor() cur.execute(""" @@ -2281,13 +2290,8 @@ class Database: return token def verify_token(self, user: User, token): + self.expire_tokens() cur = self.conn.cursor() - cur.execute(""" - DELETE FROM tokens - WHERE TIMESTAMPDIFF(MINUTE, ts, CURRENT_TIMESTAMP())>=60 - """) - self.commit() - cur.execute(""" SELECT user FROM tokens diff --git a/settings.py b/settings.py index 3f04d51..33c53ec 100644 --- a/settings.py +++ b/settings.py @@ -23,7 +23,9 @@ def make_settings_page(session): if not user: return 60, 'Login required' - if req.path == session.path + 'settings/avatar': + token = session.get_token() + + if req.path == session.path + 'settings/avatar/' + token: AVATARS = [ 'Human', ('👤', 'silhouette of person'), @@ -157,7 +159,7 @@ def make_settings_page(session): db.update_subspace(user_sub, info=clean_query(req)) return 30, '/settings/profile' - elif req.path == session.path + 'settings/info': + elif req.path == session.path + 'settings/info/' + token: if req.query == None: return 10, 'Enter profile description:' db.update_user(session.user, info=clean_query(req)) @@ -210,7 +212,7 @@ def make_settings_page(session): db.update_user(session.user, email_range=f"{begin}-{end}") return 30, '/settings/notif' - elif req.path == session.path + 'settings/url': + elif req.path == session.path + 'settings/url/' + token: if req.query == None: return 10, 'Featured link: (URL followed by label, separate with space)' try: @@ -227,16 +229,16 @@ def make_settings_page(session): page += '=> /settings ⚙️ Go back\n' page += '\n## Profile\n\n' - page += f'=> /settings/avatar Avatar: {session.user.avatar}\n' + page += f'=> /settings/avatar/{token} Avatar: {session.user.avatar}\n' page += f'=> /settings/feed-title Feed title: {user_sub.info if user_sub.info else user.name}\n' page += '\n### Description\n' page += (session.user.info if session.user.info else '(no description)') + '\n' - page += f'=> /settings/info Edit\n' + page += f'=> /settings/info/{token} Edit\n' page += '\n### Featured Link\n' page += (f'=> {session.user.url}' if session.user.url else '(no featured link)') + '\n' - page += f'=> /settings/url Edit\n' + page += f'=> /settings/url/{token} Edit\n' return page elif req.path == session.path + 'settings/sort-feed': -- 2.34.1