Commit 5378c7fd authored by Julian Rother's avatar Julian Rother
Browse files

Added rights check in all queries

parent 289fdcdb
......@@ -111,10 +111,16 @@ def ldapget(user):
else:
return notldap[user][2]
def login_required(func):
def ismod(*args):
print('mod test', session, 'user' in session, args)
return ('user' in session)
app.jinja_env.globals['ismod'] = ismod
def mod_required(func):
@wraps(func)
def decorator(*args, **kwargs):
if not 'user' in session:
if not ismod():
flash('Diese Funktion ist nur für Moderatoren verfügbar!')
return redirect(url_for('login', ref=request.url))
else:
......@@ -132,18 +138,18 @@ def index():
GROUP BY videos.lecture_id
ORDER BY lastvidtime DESC
LIMIT 6
''', False))
''', ismod()))
@app.route('/videos')
def videos():
c=query("SELECT * FROM courses")
for i in c:
if i['semester'] == '':
i['semester'] = 'zeitlos'
courses = query('SELECT * FROM courses WHERE (? OR (visible AND listed))', ismod())
for course in courses:
if course['semester'] == '':
course['semester'] = 'zeitlos'
groupedby = request.args.get('groupedby')
if groupedby not in ['title','semester','organizer']:
groupedby = 'semester'
return render_template('videos.html', courses=c, groupedby=groupedby)
return render_template('videos.html', courses=courses, groupedby=groupedby)
@app.route('/faq')
def faq():
......@@ -151,15 +157,21 @@ def faq():
@app.route('/play')
def play():
if 'lectureid' in request.args:
id = request.args['lectureid']
lecture=query('SELECT * FROM lectures WHERE id = ?', id)[0]
return render_template('play.html',
lecture=lecture,
videos=query('SELECT * FROM videos WHERE lecture_id = ?', id),
course=query('SELECT * FROM courses WHERE id = ?',lecture['course_id'])[0])
else:
return redirect(url_for('index'))
if not 'lectureid' in request.args:
return redirect(url_for('videos'))
id = request.args.get('lectureid')
lectures = query('SELECT * FROM lectures WHERE id = ? AND (? OR visible)', id, ismod())
videos = query('SELECT * FROM videos WHERE lecture_id = ? AND (? OR visible)', id, ismod())
if not lectures:
flash('Diese Vorlesung existiert nicht!')
return app.view_functions['videos'](), 404
if not videos:
flash('Zu dieser Vorlesung wurden noch keine Videos veröffentlicht!')
courses = query('SELECT * FROM courses WHERE id = ? AND (? OR (visible AND listed))', lectures[0]['course_id'], ismod())
if not courses:
flash('Diese Veranstaltung existiert nicht!')
return app.view_functions['videos'](), 404
return render_template('play.html', course=courses[0], lecture=lectures[0], videos=videos)
@app.route('/search')
def search():
......@@ -167,24 +179,32 @@ def search():
return redirect(url_for('index'))
q = request.args['q']
courses = searchquery(q, '*', ['title', 'short', 'organizer', 'subject', 'description'],
'courses', 'WHERE (? OR (visible AND listed)) GROUP BY id ORDER BY _score DESC, semester DESC LIMIT 20', False)
'courses', 'WHERE (? OR (visible AND listed)) GROUP BY id ORDER BY _score DESC, semester DESC LIMIT 20', ismod())
lectures = searchquery(q, 'lectures.*, courses.visible AS coursevisible, courses.listed, courses.short, courses.downloadable, courses.title AS coursetitle',
['lectures.title', 'lectures.comment', 'lectures.speaker', 'courses.short'],
'lectures LEFT JOIN courses on (courses.id = lectures.course_id)',
'WHERE (? OR (coursevisible AND listed AND visible)) GROUP BY id ORDER BY _score DESC, time DESC LIMIT 30', False)
'WHERE (? OR (coursevisible AND listed AND visible)) GROUP BY id ORDER BY _score DESC, time DESC LIMIT 30', ismod())
return render_template('search.html', searchtext=request.args['q'], courses=courses, lectures=lectures)
@app.route('/course')
def course():
if 'courseid' in request.args:
id = request.args['courseid']
course = query('SELECT * FROM courses WHERE handle = ?', id)[0]
return render_template('course.html',
course=course,
lectures=query('SELECT * FROM lectures WHERE course_id = ?', course['id']),
videos=query('SELECT *, formats.description AS format_description FROM videos JOIN lectures ON (videos.lecture_id = lectures.id) JOIN formats ON (videos.video_format = formats.id) WHERE lectures.course_id= ? ORDER BY formats.prio DESC', course['id']))
else:
return redirect(url_for('index'))
if not 'courseid' in request.args:
return redirect(url_for('videos'))
id = request.args['courseid']
courses = query('SELECT * FROM courses WHERE handle = ? AND (? OR visible)', id, ismod())
if not courses:
flash('Diese Veranstaltung existiert nicht!')
return app.view_functions['videos'](), 404
lectures = query('SELECT * FROM lectures WHERE course_id = ? AND (? OR visible)', courses[0]['id'], ismod())
videos = query('''
SELECT *, formats.description AS format_description
FROM videos
JOIN lectures ON (videos.lecture_id = lectures.id)
JOIN formats ON (videos.video_format = formats.id)
WHERE lectures.course_id= ?
ORDER BY formats.prio DESC
''', courses[0]['id'])
return render_template('course.html', course=courses[0], lectures=lectures, videos=videos)
@app.route('/login', methods=['GET', 'POST'])
def login():
......@@ -209,7 +229,7 @@ def logout():
return redirect(url_for('index'))
@app.route('/edit')
@login_required
@mod_required
def edit():
tabs = {
'courses': ('courses_data', 'id', ['visible', 'listed', 'title', 'short',
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment