From 5378c7fd3352d901b4540a23018184153d5d204c Mon Sep 17 00:00:00 2001
From: Julian Rother <julianr@fsmpi.rwth-aachen.de>
Date: Sun, 28 Aug 2016 19:47:22 +0200
Subject: [PATCH] Added rights check in all queries

---
 server.py | 78 ++++++++++++++++++++++++++++++++++---------------------
 1 file changed, 49 insertions(+), 29 deletions(-)

diff --git a/server.py b/server.py
index 3ab0ec4..01eba30 100755
--- a/server.py
+++ b/server.py
@@ -111,10 +111,16 @@ def ldapget(user):
 	else:
 		return notldap[user][2]
 
-def login_required(func):
+def ismod(*args):
+	print('mod test', session, 'user' in session, args)
+	return ('user' in session)
+
+app.jinja_env.globals['ismod'] = ismod
+
+def mod_required(func):
 	@wraps(func)
 	def decorator(*args, **kwargs):
-		if not 'user' in session:
+		if not ismod():
 			flash('Diese Funktion ist nur für Moderatoren verfügbar!')
 			return redirect(url_for('login', ref=request.url))
 		else:
@@ -132,18 +138,18 @@ def index():
 				GROUP BY videos.lecture_id
 				ORDER BY lastvidtime DESC
 				LIMIT 6
-			''', False))
+			''', ismod()))
 
 @app.route('/videos')
 def videos():
-	c=query("SELECT * FROM courses")
-	for i in c:
-		if i['semester'] == '':
-			i['semester'] = 'zeitlos'
+	courses = query('SELECT * FROM courses WHERE (? OR (visible AND listed))', ismod())
+	for course in courses:
+		if course['semester'] == '':
+			course['semester'] = 'zeitlos'
 	groupedby = request.args.get('groupedby')
 	if groupedby not in ['title','semester','organizer']:
 		groupedby = 'semester'
-	return render_template('videos.html', courses=c, groupedby=groupedby)
+	return render_template('videos.html', courses=courses, groupedby=groupedby)
 
 @app.route('/faq')
 def faq():
@@ -151,15 +157,21 @@ def faq():
 
 @app.route('/play')
 def play():
-	if 'lectureid' in request.args:
-		id = request.args['lectureid']
-		lecture=query('SELECT * FROM lectures WHERE id = ?', id)[0]
-		return render_template('play.html',
-				lecture=lecture,
-				videos=query('SELECT * FROM videos WHERE lecture_id = ?', id),
-				course=query('SELECT * FROM courses WHERE id = ?',lecture['course_id'])[0])
-	else:
-		return redirect(url_for('index'))
+	if not 'lectureid' in request.args:
+		return redirect(url_for('videos'))
+	id = request.args.get('lectureid')
+	lectures = query('SELECT * FROM lectures WHERE id = ? AND (? OR visible)', id, ismod())
+	videos = query('SELECT * FROM videos WHERE lecture_id = ? AND (? OR visible)', id, ismod())
+	if not lectures:
+		flash('Diese Vorlesung existiert nicht!')
+		return app.view_functions['videos'](), 404
+	if not videos:
+		flash('Zu dieser Vorlesung wurden noch keine Videos veröffentlicht!')
+	courses = query('SELECT * FROM courses WHERE id = ? AND (? OR (visible AND listed))', lectures[0]['course_id'], ismod())
+	if not courses:
+		flash('Diese Veranstaltung existiert nicht!')
+		return app.view_functions['videos'](), 404
+	return render_template('play.html', course=courses[0], lecture=lectures[0], videos=videos)
 
 @app.route('/search')
 def search():
@@ -167,24 +179,32 @@ def search():
 		return redirect(url_for('index'))
 	q = request.args['q']
 	courses = searchquery(q, '*', ['title', 'short', 'organizer', 'subject', 'description'],
-			'courses', 'WHERE (? OR (visible AND listed)) GROUP BY id ORDER BY _score DESC, semester DESC LIMIT 20', False)
+			'courses', 'WHERE (? OR (visible AND listed)) GROUP BY id ORDER BY _score DESC, semester DESC LIMIT 20', ismod())
 	lectures = searchquery(q, 'lectures.*, courses.visible AS coursevisible, courses.listed, courses.short, courses.downloadable, courses.title AS coursetitle',
 			['lectures.title', 'lectures.comment', 'lectures.speaker', 'courses.short'],
 			'lectures LEFT JOIN courses on (courses.id = lectures.course_id)',
-			'WHERE (? OR (coursevisible AND listed AND visible)) GROUP BY id ORDER BY _score DESC, time DESC LIMIT 30', False)
+			'WHERE (? OR (coursevisible AND listed AND visible)) GROUP BY id ORDER BY _score DESC, time DESC LIMIT 30', ismod())
 	return render_template('search.html', searchtext=request.args['q'], courses=courses, lectures=lectures)
 
 @app.route('/course')
 def course():
-	if 'courseid' in request.args:
-		id = request.args['courseid']
-		course = query('SELECT * FROM courses WHERE handle = ?', id)[0]
-		return render_template('course.html',
-				course=course,
-				lectures=query('SELECT * FROM lectures  WHERE course_id = ?', course['id']),
-				videos=query('SELECT *, formats.description AS format_description  FROM videos JOIN lectures ON (videos.lecture_id = lectures.id) JOIN formats ON (videos.video_format = formats.id) WHERE lectures.course_id= ? ORDER BY formats.prio DESC', course['id']))
-	else:
-		return redirect(url_for('index'))
+	if not 'courseid' in request.args:
+		return redirect(url_for('videos'))
+	id = request.args['courseid']
+	courses = query('SELECT * FROM courses WHERE handle = ? AND (? OR visible)', id, ismod())
+	if not courses:
+		flash('Diese Veranstaltung existiert nicht!')
+		return app.view_functions['videos'](), 404
+	lectures = query('SELECT * FROM lectures WHERE course_id = ? AND (? OR visible)', courses[0]['id'], ismod())
+	videos = query('''
+			SELECT *, formats.description AS format_description
+			FROM videos
+			JOIN lectures ON (videos.lecture_id = lectures.id)
+			JOIN formats ON (videos.video_format = formats.id)
+			WHERE lectures.course_id= ?
+			ORDER BY formats.prio DESC
+			''', courses[0]['id'])
+	return render_template('course.html', course=courses[0], lectures=lectures, videos=videos)
 
 @app.route('/login', methods=['GET', 'POST'])
 def login():
@@ -209,7 +229,7 @@ def logout():
 		return redirect(url_for('index'))
 
 @app.route('/edit')
-@login_required
+@mod_required
 def edit():
 	tabs = {
 		'courses': ('courses_data', 'id', ['visible', 'listed', 'title', 'short',
-- 
GitLab