diff --git a/db_schema.sql b/db_schema.sql
index 096ebbb1ae2e2092928a296e613c675b30200bcd..e48bd14cce69d37acecd4b4f4f8af42061395f66 100644
--- a/db_schema.sql
+++ b/db_schema.sql
@@ -98,7 +98,7 @@ CREATE TABLE IF NOT EXISTS `auth` (
`course_id` INTEGER,
`lecture_id` INTEGER,
`video_id` INTEGER,
- `type` varchar(10),
+ `auth_type` varchar(10),
`auth_user` varchar(127),
`auth_passwd` varchar(127)
);
diff --git a/server.py b/server.py
index 4ad08d15fb8da83d728014216bfc10b39da185fa..55dcc177de9e84cbf71899b03a3651d000de24d3 100755
--- a/server.py
+++ b/server.py
@@ -157,12 +157,15 @@ def search():
'WHERE (? OR (coursevisible AND listed AND visible)) GROUP BY id ORDER BY _score DESC, time DESC LIMIT 30', ismod())
return render_template('search.html', searchtext=request.args['q'], courses=courses, lectures=lectures)
+def check_mod(user, groups):
+ return user and 'users' in groups
+
@app.route('/login', methods=['GET', 'POST'])
def login():
if request.method == 'GET':
return render_template('login.html')
user, groups = ldapauth(request.form.get('user'), request.form.get('password'))
- if not user or not 'users' in groups:
+ if not check_mod(user, groups):
flash('Login fehlgeschlagen!')
return render_template('login.html')
session['user'] = ldapget(user)
@@ -201,7 +204,6 @@ def edit():
assert column in tabs[table][2]
query('INSERT INTO changelog ("table",id_value,id_key,field,value_new,value_old,"when",who,executed) VALUES (?,?,?,?,?,(SELECT %s FROM %s WHERE %s = ?),?,?,1)'%(column,tabs[table][0],tabs[table][1]),table,id,tabs[table][1],column,val,id,datetime.now(),session['user']['givenName'])
query('UPDATE %s SET %s = ? WHERE %s = ?'%(tabs[table][0], column,tabs[table][1]), val, id)
-
query('COMMIT')
return "OK", 200
@@ -214,24 +216,23 @@ def auth(): # For use with nginx auth_request
ip = request.headers.get('X-Real-IP', '')
if url.endswith('jpg'):
return "OK", 200
- videos = query('''SELECT videos.path, videos.id, lectures.id AS lecture_id, courses.id AS course_id, protected.*
+ videos = query('''SELECT videos.path, videos.id, lectures.id AS lecture_id, courses.id AS course_id, auth.*
FROM videos
JOIN lectures ON (videos.lecture_id = lectures.id)
JOIN courses ON (lectures.course_id = courses.id)
- LEFT JOIN protected ON (videos.id = protected.video_id OR lectures.id = protected.lecture_id OR courses.id = protected.course_id)
+ LEFT JOIN auth ON (videos.id = auth.video_id OR lectures.id = auth.lecture_id OR courses.id = auth.course_id)
WHERE videos.path = ?
AND (? OR (courses.visible AND lectures.visible AND videos.visible))
- ORDER BY protected.video_id DESC, protected.lecture_id DESC, protected.course_id DESC''',
+ ORDER BY auth.video_id DESC, auth.lecture_id DESC, auth.course_id DESC''',
url, ismod())
if not videos:
return "Not allowed", 403
- first = videos[0]
allowed = False
types = []
auth = request.authorization
for video in videos:
- if first and ((first['video_id'] and not video['video_id']) \
- or (first['lecture_id'] and not video['lecture_id'])):
+ if videos[0] and ((videos[0]['video_id'] and not video['video_id']) \
+ or (videos[0]['lecture_id'] and not video['lecture_id'])):
break
types.append(video['auth_type'])
if video['auth_type'] == 'public':
@@ -241,7 +242,8 @@ def auth(): # For use with nginx auth_request
if auth and video['auth_user'] == auth.username and video['auth_passwd'] == auth.password:
allowed = True
break
- if allowed or ismod():
+ if not types[0] or allowed or ismod() or \
+ (auth and check_mod(*ldapauth(auth.username, auth.password))):
return 'OK', 200
query('INSERT INTO log VALUES (?, "", ?, "video", ?, ?)', ip, datetime.now(), videos[0]['id'], url)
elif 'password' in types:
@@ -302,7 +304,6 @@ def schedule():
for i in range(s.hour*4,min(int((60*e.hour/15)/4)*4+5,24*4)):
t = i*15
times.append(time(int(t/60),t%60))
-
return render_template('schedule.html',days=days,times=times,kw=kw)
@app.route('/stats')