Allowed admins logged as users to do more stuff

This commit is contained in:
Stranck 2024-05-20 12:07:59 +02:00
parent df4f2eaf81
commit 752f1dbc4a
6 changed files with 37 additions and 9 deletions

4
app.py
View File

@ -16,10 +16,12 @@ import requests
import sys
from sanic.log import logger, logging, access_logger
from metrics import *
from utils import isSessionAdmin
from email_util import killSmptClient
import pretixClient
import traceback
app = Sanic(__name__)
app.static("/res", "res/")
@ -156,7 +158,7 @@ async def welcome(request, order: Order, quota: Quotas):
room_members.append(await app.ctx.om.get_order(code=member_id, cached=True))
tpl = app.ctx.tpl.get_template('welcome.html')
return html(tpl.render(order=order, quota=quota, room_members=room_members, pending_roommates=pending_roommates, ROOM_ERROR_MESSAGES=ROOM_ERROR_TYPES))
return html(tpl.render(order=order, quota=quota, room_members=room_members, pending_roommates=pending_roommates, ROOM_ERROR_MESSAGES=ROOM_ERROR_TYPES, isSessionAdmin=await isSessionAdmin(request, order)))
@app.route("/manage/download_ticket")

View File

@ -3,6 +3,7 @@ from sanic import Blueprint, exceptions, response
from ext import *
from urllib.parse import unquote
from config import ADMINS
from utils import isSessionAdmin
import json
bp = Blueprint("karaoke", url_prefix="/manage/karaoke")
@ -10,7 +11,7 @@ bp = Blueprint("karaoke", url_prefix="/manage/karaoke")
@bp.get("/admin")
async def show_songs(request, order: Order):
if not order.isAdmin():
if not await isSessionAdmin(request, order):
raise exceptions.Forbidden("Birichino")
orders = [x for x in request.app.ctx.om.cache.values() if x.karaoke_songs]
@ -28,7 +29,7 @@ async def show_songs(request, order: Order):
@bp.post("/approve")
async def approve_songs(request, order: Order):
if not order.isAdmin():
if not await isSessionAdmin(request, order):
raise exceptions.Forbidden("Birichino")
for song in request.form:
@ -44,7 +45,7 @@ async def sing_song(request, order: Order, songname):
if not order: raise exceptions.Forbidden("You have been logged out. Please access the link in your E-Mail to login again!")
if not order.isAdmin():
if not await isSessionAdmin(request, order):
raise exceptions.Forbidden("Birichino")
songname = unquote(songname)

View File

@ -6,6 +6,7 @@ from PIL import Image
from io import BytesIO
from hashlib import sha224
from time import time
from utils import isSessionAdmin
import os
bp = Blueprint("propic", url_prefix="/manage/propic")
@ -38,7 +39,7 @@ async def upload_propic(request, order: Order):
if order.propic_locked:
raise exceptions.BadRequest("You have been limited from further editing the propic.")
if request.form.get('submit') != 'Upload' and time() > PROPIC_DEADLINE:
if request.form.get('submit') != 'Upload' and (time() > PROPIC_DEADLINE and not await isSessionAdmin(request, order)):
raise exceptions.BadRequest("The deadline has passed. You cannot modify the badges at this moment.")
if request.form.get('submit') == 'Delete main image':

11
stuff/testAsyncio.py Normal file
View File

@ -0,0 +1,11 @@
# python merda
import asyncio
async def a():
print("a")
def b():
loop = asyncio.get_event_loop()
print(loop)
b()

View File

@ -32,7 +32,7 @@
{% endif %}
</div>
{% if time() > PROPIC_DEADLINE %}
{% if time() > PROPIC_DEADLINE and not isSessionAdmin %}
<p class="notice">⚠️ The deadline to upload pictures for the badge has expired. For last-minute changes, please contact the support over at <a href="mailto:info@furizon.net">info@furizon.net</a>. If your badge has been printed already, changing it will incur in a 2€ fee. You can also get extra badges at the reception for the same price. If you upload a propic now, it might not be printed on time.</p>
{% else %}
<p><em>
@ -43,9 +43,9 @@
{% endif %}
<div class="grid grid_2x2">
<input style="grid-area: 1 / 1 / 2 / 3;" type="submit" name="submit" value="Upload" {{'disabled' if (order.ans('propic') and order.ans('propic_fursuiter')) else ''}} />
<input style="grid-area: 2 / 1 / 3 / 2;" type="submit" name="submit" value="Delete main image" {{'disabled' if (time() > PROPIC_DEADLINE or not order.ans('propic')) else ''}} />
<input style="grid-area: 2 / 2 / 3 / 3;" type="submit" name="submit" value="Delete fursuit image" {{'disabled' if (time() > PROPIC_DEADLINE or not order.ans('propic_fursuiter')) else ''}} />
<input style="grid-area: 1 / 1 / 2 / 3;" type="submit" name="submit" value="Upload" {{'disabled' if ((order.ans('propic') and order.ans('propic_fursuiter'))) or (time() > PROPIC_DEADLINE and not isSessionAdmin) else ''}} />
<input style="grid-area: 2 / 1 / 3 / 2;" type="submit" name="submit" value="Delete main image" {{'disabled' if ((time() > PROPIC_DEADLINE and not isSessionAdmin) or not order.ans('propic')) else ''}} />
<input style="grid-area: 2 / 2 / 3 / 3;" type="submit" name="submit" value="Delete fursuit image" {{'disabled' if ((time() > PROPIC_DEADLINE and not isSessionAdmin) or not order.ans('propic_fursuiter')) else ''}} />
</div>
</form>
</details>

View File

@ -288,6 +288,19 @@ async def validate_rooms(request, rooms, om):
logger.info(f"[ROOM VALIDATION] Sent {sent_count} emails")
# Returns true if the logged used is an admin OR if it's an admin logged as another user
async def isSessionAdmin(request, order):
if(order.isAdmin()): return True
orgCode = request.cookies.get("foxo_code_ORG")
orgSecret = request.cookies.get("foxo_secret_ORG")
if orgCode != None and orgSecret != None:
user = await request.app.ctx.om.get_order(code=orgCode)
if(user == None): return False
if(user.secret != orgSecret): raise exceptions.Forbidden("Birichino :)")
return user.isAdmin()
async def check_room(request, order, om=None):
room_errors = []
room_members = []