forked from Decentrala/taskmanager
add user input sanitation
This commit is contained in:
parent
ed38156e77
commit
e615f774ad
@ -4,8 +4,7 @@ from taskmanager.functions import *
|
|||||||
from taskmanager.models import *
|
from taskmanager.models import *
|
||||||
import configparser
|
import configparser
|
||||||
|
|
||||||
#CONFIG_PATH = "/var/taskmanager/taskmanager/config.ini"
|
CONFIG_PATH = "/var/taskmanager/taskmanager/config.ini"
|
||||||
CONFIG_PATH = "/home/anon/src/taskmanager/taskmanager/config.ini"
|
|
||||||
|
|
||||||
config = configparser.ConfigParser()
|
config = configparser.ConfigParser()
|
||||||
config.read(CONFIG_PATH)
|
config.read(CONFIG_PATH)
|
||||||
@ -25,6 +24,17 @@ def addtask():
|
|||||||
taskname = request.form['taskname']
|
taskname = request.form['taskname']
|
||||||
taskdesc = request.form['taskdesc']
|
taskdesc = request.form['taskdesc']
|
||||||
username = request.form['username']
|
username = request.form['username']
|
||||||
|
# Input sanitation
|
||||||
|
if not taskname.isalnum():
|
||||||
|
return "Task name has to be made only of letters or numbers."
|
||||||
|
if not username.isalnum():
|
||||||
|
return "Username has to be made only of letters or numbers."
|
||||||
|
if not taskdesc.isprintable():
|
||||||
|
return "Task description has to be made of printable characters."
|
||||||
|
if len(taskname) < 1 or len(taskname) > 40:
|
||||||
|
return "Task name lenght invalid, only smaller then 40 charachters allowed"
|
||||||
|
if len(taskdesc) > 2000:
|
||||||
|
return "Task description lenght invalid, only smaller then 2000 charachters allowed"
|
||||||
if username == "":
|
if username == "":
|
||||||
creatorid = None
|
creatorid = None
|
||||||
else:
|
else:
|
||||||
@ -50,6 +60,18 @@ def register():
|
|||||||
username = request.form['username']
|
username = request.form['username']
|
||||||
contact = request.form['contact']
|
contact = request.form['contact']
|
||||||
password = request.form['password']
|
password = request.form['password']
|
||||||
|
if not username.isalnum():
|
||||||
|
return "Username has to be made only of letters or numbers."
|
||||||
|
if not contact.isprintable():
|
||||||
|
return "Contact information has to be made of printable characters."
|
||||||
|
if not password.isprintable():
|
||||||
|
return "Password has to be made of printable characters."
|
||||||
|
if len(username) < 1 or len(username) > 40:
|
||||||
|
return "Username lenght invalid, only smaller then 40 charachters allowed"
|
||||||
|
if len(contact) > 100:
|
||||||
|
return "Contact lenght invalid, only smaller then 100 charachters allowed"
|
||||||
|
if len(password) > 500:
|
||||||
|
return "Password lenght invalid, only smaller then 500 charachters allowed"
|
||||||
sqladduser = User(username = username, contact = contact, password = password)
|
sqladduser = User(username = username, contact = contact, password = password)
|
||||||
try:
|
try:
|
||||||
db.session.add(sqladduser)
|
db.session.add(sqladduser)
|
||||||
@ -75,6 +97,8 @@ def project(task_id:int):
|
|||||||
return render_template("project.html", task = task, users = users)
|
return render_template("project.html", task = task, users = users)
|
||||||
elif request.method == 'POST':
|
elif request.method == 'POST':
|
||||||
username = request.form['username']
|
username = request.form['username']
|
||||||
|
if len(username) < 1 or len(username) > 40:
|
||||||
|
return "Username lenght invalid, only smaller then 40 charachters allowed"
|
||||||
if username in users:
|
if username in users:
|
||||||
return 'User already added to task'
|
return 'User already added to task'
|
||||||
try:
|
try:
|
||||||
@ -112,6 +136,8 @@ def deltask(task_id:int):
|
|||||||
return render_template('deltask.html', task = task)
|
return render_template('deltask.html', task = task)
|
||||||
if request.method == 'POST':
|
if request.method == 'POST':
|
||||||
password = request.form['password']
|
password = request.form['password']
|
||||||
|
if len(password) < 1 or len(password) > 500:
|
||||||
|
return "Password lenght invalid, only smaller then 500 charachters allowed"
|
||||||
# Check password
|
# Check password
|
||||||
if password != ADMINPASS and password != User.query.get(creatorid).password:
|
if password != ADMINPASS and password != User.query.get(creatorid).password:
|
||||||
return 'Wrong password'
|
return 'Wrong password'
|
||||||
|
Loading…
Reference in New Issue
Block a user