draft web admin: no action, no security

2022-01-30 18:56:52 +01:00 · 2022-01-30 18:56:52 +01:00 · 9b2c14e3a0
commit 9b2c14e3a0
parent 52b962b0c6
6 changed files with 101 additions and 37 deletions
--- a/run.py
+++ b/run.py
@ -1,21 +1,21 @@
 #!/usr/bin/python
 # -*- coding: UTF-8 -*-

-import sys
-import os
 import argparse
-import logging
 import hashlib
+import logging
+import os
+import sys

 from stacosys.conf.config import Config, ConfigParameter
-from stacosys.db import database
-from stacosys.core.rss import Rss
 from stacosys.core.mailer import Mailer
-from stacosys.interface import app
+from stacosys.core.rss import Rss
+from stacosys.db import database
 from stacosys.interface import api
+from stacosys.interface import app
 from stacosys.interface import form
-from stacosys.interface import webadmin
 from stacosys.interface import scheduler
+from stacosys.interface.web import admin


 # configure logging
@ -33,7 +33,6 @@ def configure_logging(level):


 def stacosys_server(config_pathname):
-
    # configure logging
    logger = logging.getLogger(__name__)
    configure_logging(logging.INFO)
@ -107,7 +106,8 @@ def stacosys_server(config_pathname):

    # inject config parameters into flask
    app.config.update(SITE_REDIRECT=conf.get(ConfigParameter.SITE_REDIRECT))
-    logger.info(f"start interfaces {api} {form} {webadmin}")
+    app.config.update(SITE_URL=conf.get(ConfigParameter.SITE_URL))
+    logger.info(f"start interfaces {api} {form} {admin}")

    # start Flask
    app.run(
--- a/stacosys/db/dao.py
+++ b/stacosys/db/dao.py
@ -29,6 +29,10 @@ def find_not_notified_comments():
    return Comment.select().where(Comment.notified.is_null())


+def find_not_published_comments():
+    return Comment.select().where(Comment.published.is_null())
+
+
 def find_published_comments_by_url(url):
    return Comment.select(Comment).where((Comment.url == url) & (Comment.published.is_null(False))).order_by(
        +Comment.published)
--- a/stacosys/interface/init.py
+++ b/stacosys/interface/init.py
@ -4,3 +4,6 @@
 from flask import Flask

 app = Flask(__name__)
+
+# Set the secret key to some random bytes. Keep this really secret!
+app.secret_key = b'_5#y2L"F4Q8z\n\xec]/'
--- a/stacosys/interface/templates/admin_fr.html
+++ b/stacosys/interface/templates/admin_fr.html
@ -0,0 +1,61 @@
+<!doctype html>
+<html lang="en-US">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Stacosys</title>
+<link rel="stylesheet" href="https://cdn.simplecss.org/simple.min.css">
+</head>
+<body>
+  <header>
+    <h1>Modération des commentaires</h1>
+  </header>
+  <main>
+      {% with messages = get_flashed_messages() %}
+      {% if messages %}
+        <blockquote>
+        {% for message in messages %}
+            <p>{{ message }}</p>
+        {% endfor %}
+      </blockquote>
+      {% endif %}
+      {% endwith %}
+    <table>
+    <thead>
+        <tr>
+            <th>Date</th>
+            <th>Auteur</th>
+            <th>Commentaire</th>
+            <th>Article</th>
+            <th>Actions</th>
+        </tr>
+    </thead>
+    <tbody>
+        {% for comment in comments %}
+        <tr>
+            <td>{{ comment.created }}</td>
+            <td>{{ comment.author_name }}</td>
+            <td>{{ comment.content }}</td>
+            <td><a href="{{ baseurl + comment.url }}">{{ comment.url }}</a></td>
+            <td>
+                <form action="/web" method="post">
+                    <input type="hidden" name="comment" value="{{comment.id}}">
+                    <input type="hidden" name="action" value="APPROVE">
+                    <button type="submit">Accepter</button>
+                </form>
+                <form action="/web" method="post">
+                    <input type="hidden" name="comment" value="{{comment.id}}">
+                    <input type="hidden" name="action" value="REJECT">
+                    <button type="submit">Rejeter</button>
+                </form>
+            </td>
+        </tr>
+        {% endfor %}
+    </tbody>
+    </table>
+  </main>
+  <footer>
+    <p>Cette page a été conçue par Yax avec <a href="https://simplecss.org">Simple.css</a>.</p>
+  </footer>
+</body>
+</html>
--- a/stacosys/interface/web/admin.py
+++ b/stacosys/interface/web/admin.py
@ -0,0 +1,24 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+
+import logging
+
+from flask import request, redirect, flash, render_template
+
+from stacosys.db import dao
+from stacosys.interface import app
+
+logger = logging.getLogger(__name__)
+
+
+@app.route("/web", methods=["GET"])
+def admin_homepage():
+    lang = "fr"
+    comments = dao.find_not_published_comments()
+    return render_template("admin_" + lang + ".html", comments=comments, baseurl=app.config.get("SITE_URL"))
+
+
+@app.route("/web", methods=["POST"])
+def admin_action():
+    flash(request.form.get("comment") + " " + request.form.get("action"))
+    return redirect('/web')
--- a/stacosys/interface/webadmin.py
+++ b/stacosys/interface/webadmin.py
@ -1,28 +0,0 @@
-#!/usr/bin/env python
-# -*- coding: utf-8 -*-
-
-import logging
-import os
-from stacosys.core.templater import Templater, Template
-
-from flask import jsonify, request
-from flask import render_template
-
-from stacosys.db import dao
-from stacosys.interface import app
-
-logger = logging.getLogger(__name__)
-
-
-current_path = os.path.dirname(__file__)
-template_path = os.path.abspath(os.path.join(current_path, "../templates"))
-templater = Templater(template_path)
-
-@app.route("/web/comment", methods=["GET"])
-def web_comment_approval():
-    lang = "fr"
-    return templater.get_template(lang, Template.WEB_COMMENT_APPROVAL).render(
-        name="Yax")
-
-
-