Allowed admins logged as users to do more stuff

This commit is contained in:
Stranck 2024-05-20 12:07:59 +02:00
parent df4f2eaf81
commit 752f1dbc4a
6 changed files with 37 additions and 9 deletions

4
app.py
View File

@ -16,10 +16,12 @@ import requests
import sys import sys
from sanic.log import logger, logging, access_logger from sanic.log import logger, logging, access_logger
from metrics import * from metrics import *
from utils import isSessionAdmin
from email_util import killSmptClient from email_util import killSmptClient
import pretixClient import pretixClient
import traceback import traceback
app = Sanic(__name__) app = Sanic(__name__)
app.static("/res", "res/") app.static("/res", "res/")
@ -156,7 +158,7 @@ async def welcome(request, order: Order, quota: Quotas):
room_members.append(await app.ctx.om.get_order(code=member_id, cached=True)) room_members.append(await app.ctx.om.get_order(code=member_id, cached=True))
tpl = app.ctx.tpl.get_template('welcome.html') tpl = app.ctx.tpl.get_template('welcome.html')
return html(tpl.render(order=order, quota=quota, room_members=room_members, pending_roommates=pending_roommates, ROOM_ERROR_MESSAGES=ROOM_ERROR_TYPES)) return html(tpl.render(order=order, quota=quota, room_members=room_members, pending_roommates=pending_roommates, ROOM_ERROR_MESSAGES=ROOM_ERROR_TYPES, isSessionAdmin=await isSessionAdmin(request, order)))
@app.route("/manage/download_ticket") @app.route("/manage/download_ticket")

View File

@ -3,6 +3,7 @@ from sanic import Blueprint, exceptions, response
from ext import * from ext import *
from urllib.parse import unquote from urllib.parse import unquote
from config import ADMINS from config import ADMINS
from utils import isSessionAdmin
import json import json
bp = Blueprint("karaoke", url_prefix="/manage/karaoke") bp = Blueprint("karaoke", url_prefix="/manage/karaoke")
@ -10,7 +11,7 @@ bp = Blueprint("karaoke", url_prefix="/manage/karaoke")
@bp.get("/admin") @bp.get("/admin")
async def show_songs(request, order: Order): async def show_songs(request, order: Order):
if not order.isAdmin(): if not await isSessionAdmin(request, order):
raise exceptions.Forbidden("Birichino") raise exceptions.Forbidden("Birichino")
orders = [x for x in request.app.ctx.om.cache.values() if x.karaoke_songs] orders = [x for x in request.app.ctx.om.cache.values() if x.karaoke_songs]
@ -28,7 +29,7 @@ async def show_songs(request, order: Order):
@bp.post("/approve") @bp.post("/approve")
async def approve_songs(request, order: Order): async def approve_songs(request, order: Order):
if not order.isAdmin(): if not await isSessionAdmin(request, order):
raise exceptions.Forbidden("Birichino") raise exceptions.Forbidden("Birichino")
for song in request.form: for song in request.form:
@ -44,7 +45,7 @@ async def sing_song(request, order: Order, songname):
if not order: raise exceptions.Forbidden("You have been logged out. Please access the link in your E-Mail to login again!") if not order: raise exceptions.Forbidden("You have been logged out. Please access the link in your E-Mail to login again!")
if not order.isAdmin(): if not await isSessionAdmin(request, order):
raise exceptions.Forbidden("Birichino") raise exceptions.Forbidden("Birichino")
songname = unquote(songname) songname = unquote(songname)

View File

@ -6,6 +6,7 @@ from PIL import Image
from io import BytesIO from io import BytesIO
from hashlib import sha224 from hashlib import sha224
from time import time from time import time
from utils import isSessionAdmin
import os import os
bp = Blueprint("propic", url_prefix="/manage/propic") bp = Blueprint("propic", url_prefix="/manage/propic")
@ -38,7 +39,7 @@ async def upload_propic(request, order: Order):
if order.propic_locked: if order.propic_locked:
raise exceptions.BadRequest("You have been limited from further editing the propic.") raise exceptions.BadRequest("You have been limited from further editing the propic.")
if request.form.get('submit') != 'Upload' and time() > PROPIC_DEADLINE: if request.form.get('submit') != 'Upload' and (time() > PROPIC_DEADLINE and not await isSessionAdmin(request, order)):
raise exceptions.BadRequest("The deadline has passed. You cannot modify the badges at this moment.") raise exceptions.BadRequest("The deadline has passed. You cannot modify the badges at this moment.")
if request.form.get('submit') == 'Delete main image': if request.form.get('submit') == 'Delete main image':

11
stuff/testAsyncio.py Normal file
View File

@ -0,0 +1,11 @@
# python merda
import asyncio
async def a():
print("a")
def b():
loop = asyncio.get_event_loop()
print(loop)
b()

View File

@ -32,7 +32,7 @@
{% endif %} {% endif %}
</div> </div>
{% if time() > PROPIC_DEADLINE %} {% if time() > PROPIC_DEADLINE and not isSessionAdmin %}
<p class="notice">⚠️ The deadline to upload pictures for the badge has expired. For last-minute changes, please contact the support over at <a href="mailto:info@furizon.net">info@furizon.net</a>. If your badge has been printed already, changing it will incur in a 2€ fee. You can also get extra badges at the reception for the same price. If you upload a propic now, it might not be printed on time.</p> <p class="notice">⚠️ The deadline to upload pictures for the badge has expired. For last-minute changes, please contact the support over at <a href="mailto:info@furizon.net">info@furizon.net</a>. If your badge has been printed already, changing it will incur in a 2€ fee. You can also get extra badges at the reception for the same price. If you upload a propic now, it might not be printed on time.</p>
{% else %} {% else %}
<p><em> <p><em>
@ -43,9 +43,9 @@
{% endif %} {% endif %}
<div class="grid grid_2x2"> <div class="grid grid_2x2">
<input style="grid-area: 1 / 1 / 2 / 3;" type="submit" name="submit" value="Upload" {{'disabled' if (order.ans('propic') and order.ans('propic_fursuiter')) else ''}} /> <input style="grid-area: 1 / 1 / 2 / 3;" type="submit" name="submit" value="Upload" {{'disabled' if ((order.ans('propic') and order.ans('propic_fursuiter'))) or (time() > PROPIC_DEADLINE and not isSessionAdmin) else ''}} />
<input style="grid-area: 2 / 1 / 3 / 2;" type="submit" name="submit" value="Delete main image" {{'disabled' if (time() > PROPIC_DEADLINE or not order.ans('propic')) else ''}} /> <input style="grid-area: 2 / 1 / 3 / 2;" type="submit" name="submit" value="Delete main image" {{'disabled' if ((time() > PROPIC_DEADLINE and not isSessionAdmin) or not order.ans('propic')) else ''}} />
<input style="grid-area: 2 / 2 / 3 / 3;" type="submit" name="submit" value="Delete fursuit image" {{'disabled' if (time() > PROPIC_DEADLINE or not order.ans('propic_fursuiter')) else ''}} /> <input style="grid-area: 2 / 2 / 3 / 3;" type="submit" name="submit" value="Delete fursuit image" {{'disabled' if ((time() > PROPIC_DEADLINE and not isSessionAdmin) or not order.ans('propic_fursuiter')) else ''}} />
</div> </div>
</form> </form>
</details> </details>

View File

@ -288,6 +288,19 @@ async def validate_rooms(request, rooms, om):
logger.info(f"[ROOM VALIDATION] Sent {sent_count} emails") logger.info(f"[ROOM VALIDATION] Sent {sent_count} emails")
# Returns true if the logged used is an admin OR if it's an admin logged as another user
async def isSessionAdmin(request, order):
if(order.isAdmin()): return True
orgCode = request.cookies.get("foxo_code_ORG")
orgSecret = request.cookies.get("foxo_secret_ORG")
if orgCode != None and orgSecret != None:
user = await request.app.ctx.om.get_order(code=orgCode)
if(user == None): return False
if(user.secret != orgSecret): raise exceptions.Forbidden("Birichino :)")
return user.isAdmin()
async def check_room(request, order, om=None): async def check_room(request, order, om=None):
room_errors = [] room_errors = []
room_members = [] room_members = []