moonq/qgreper
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

use markdown2, add forced login. Added breadcrumbs

Browse Source
This commit is contained in:
Ville Rantanen
2023-07-23 20:23:48 +03:00
parent 09f56bd1fe
commit 9437e64936
13 changed files with 771 additions and 527 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
captcha.py
View File

@@ -1,20 +1,25 @@
from random import randint
import hashlib, base64
# FIXME hash can be reused
def generate(key):
'''
"""
Generate a simple CAPTCHA.
It is based on a simple math expression which stops the simplest of bots.
'''
"""
# The parameters are chosen such that they are simple to solve on paper.
a = randint(1, 10)
b = randint(1, 10)
c = randint(10, 20)
return f'{a} * {b} + {c} = ', _hash_answer(key, str(a * b + c))
return f"{a} * {b} + {c} = ", _hash_answer(key, str(a * b + c))
def verify(key, answer, hash):
return _hash_answer(key, answer) == hash
def _hash_answer(key, answer):
return base64.b64encode(hashlib.sha256((key + answer).encode('utf-8')).digest()).decode('ascii')
return base64.b64encode(
hashlib.sha256((key + answer).encode("utf-8")).digest()
).decode("ascii")

427
db/sqlite.py
View File

@@ -1,18 +1,25 @@
import sqlite3
class DB:
def __init__(self, conn):
self.conn = conn
pass
def get_config(self):
return self._db().execute('''
select version, name, description, secret_key, captcha_key, registration_enabled from config
'''
).fetchone()
return (
self._db()
.execute(
"""
select version, name, description, secret_key, captcha_key, registration_enabled, login_required from config
"""
)
.fetchone()
)
def get_forums(self):
return self._db().execute('''
return self._db().execute(
"""
select f.forum_id, name, description, thread_id, title, update_time
from forums f
left join threads t
@@ -23,20 +30,41 @@ class DB:
order by update_time desc
limit 1
)
'''
"""
)
def get_forum(self, forum_id):
return self._db().execute('''
return (
self._db()
.execute(
"""
select name, description
from forums
where forum_id = ?
''',
(forum_id,)
).fetchone()
""",
(forum_id,),
)
.fetchone()
)
def get_thread_forum(self, thread_id):
""" Returns forum_id of a thread """
return (
self._db()
.execute(
"""
select forum_id
from threads
where thread_id = ?
""",
(thread_id,),
)
.fetchone()[0]
)
def get_threads(self, forum_id, offset, limit, user_id):
return self._db().execute('''
return self._db().execute(
"""
select
t.thread_id,
title,
@@ -70,20 +98,22 @@ class DB:
order by t.update_time desc
limit ?
offset ?
''',
(forum_id, user_id, limit, offset)
""",
(forum_id, user_id, limit, offset),
)
def get_thread(self, thread):
db = self._db()
title, text, author, author_id, create_time, modify_time, hidden = db.execute('''
select title, text, name, author_id, create_time, modify_time, hidden
title, text, author, author_id, create_time, modify_time, hidden, forum_id = db.execute(
"""
select title, text, name, author_id, create_time, modify_time, hidden, forum_id
from threads, users
where thread_id = ? and author_id = user_id
''',
(thread,)
""",
(thread,),
).fetchone()
comments = db.execute('''
comments = db.execute(
"""
select
comment_id,
parent_id,
@@ -97,59 +127,91 @@ class DB:
left join users
on author_id = user_id
where thread_id = ?
''',
(thread,)
""",
(thread,),
)
return (
title,
text,
author,
author_id,
create_time,
modify_time,
comments,
hidden,
forum_id
)
return title, text, author, author_id, create_time, modify_time, comments, hidden
def get_thread_title(self, thread_id):
return self._db().execute('''
return (
self._db()
.execute(
"""
select title
from threads
where thread_id = ?
''',
(thread_id,)
).fetchone()
""",
(thread_id,),
)
.fetchone()
)
def get_thread_title_text(self, thread_id):
return self._db().execute('''
return (
self._db()
.execute(
"""
select title, text
from threads
where thread_id = ?
''',
(thread_id,)
).fetchone()
""",
(thread_id,),
)
.fetchone()
)
def get_recent_threads(self, limit):
return self._db().execute('''
return self._db().execute(
"""
select thread_id, title, modify_date
from threads
order by modify_date
limit ?
''',
(limit,)
""",
(limit,),
)
def get_comment(self, comment_id):
return self._db().execute('''
return (
self._db()
.execute(
"""
select title, c.text
from comments c, threads t
where comment_id = ? and c.thread_id = t.thread_id
''',
(comment_id,)
).fetchone()
""",
(comment_id,),
)
.fetchone()
)
def get_subcomments(self, comment_id):
db = self._db()
thread_id, parent_id, title = db.execute('''
thread_id, parent_id, title = db.execute(
"""
select threads.thread_id, parent_id, title
from threads, comments
where comment_id = ? and threads.thread_id = comments.thread_id
''',
(comment_id,)
""",
(comment_id,),
).fetchone()
# Recursive CTE, see https://www.sqlite.org/lang_with.html
return thread_id, parent_id, title, db.execute('''
return (
thread_id,
parent_id,
title,
db.execute(
"""
with recursive
descendant_of(id) as (
select comment_id from comments where comment_id = ?
@@ -171,112 +233,148 @@ class DB:
users
where id = comment_id
and user_id = author_id
''',
(comment_id,)
""",
(comment_id,),
),
)
def get_user_password(self, username):
return self._db().execute('''
return (
self._db()
.execute(
"""
select user_id, password
from users
where name = lower(?)
''',
(username,)
).fetchone()
""",
(username,),
)
.fetchone()
)
def get_user_password_by_id(self, user_id):
return self._db().execute('''
return (
self._db()
.execute(
"""
select password
from users
where user_id = ?
''',
(user_id,)
).fetchone()
""",
(user_id,),
)
.fetchone()
)
def set_user_password(self, user_id, password):
return self.change_one('''
return self.change_one(
"""
update users
set password = ?
where user_id = ?
''',
(password, user_id)
""",
(password, user_id),
)
def get_user_public_info(self, user_id):
return self._db().execute('''
return (
self._db()
.execute(
"""
select name, about, banned_until
from users
where user_id = ?
''',
(user_id,)
).fetchone()
""",
(user_id,),
)
.fetchone()
)
def get_user_private_info(self, user_id):
return self._db().execute('''
return (
self._db()
.execute(
"""
select about
from users
where user_id = ?
''',
(user_id,)
).fetchone()
""",
(user_id,),
)
.fetchone()
)
def set_user_private_info(self, user_id, about):
db = self._db()
db.execute('''
db.execute(
"""
update users
set about = ?
where user_id = ?
''',
(about, user_id)
""",
(about, user_id),
)
db.commit()
def get_user_name_role_banned(self, user_id):
return self._db().execute('''
return (
self._db()
.execute(
"""
select name, role, banned_until
from users
where user_id = ?
''',
(user_id,)
).fetchone()
""",
(user_id,),
)
.fetchone()
)
def get_user_name(self, user_id):
return self._db().execute('''
return (
self._db()
.execute(
"""
select name
from users
where user_id = ?
''',
(user_id,)
).fetchone()
""",
(user_id,),
)
.fetchone()
)
def add_thread(self, author_id, forum_id, title, text, time):
db = self._db()
c = db.cursor()
c.execute('''
c.execute(
"""
insert into threads (author_id, forum_id, title, text,
create_time, modify_time, update_time)
select ?, ?, ?, ?, ?, ?, ?
from users
where user_id = ? and banned_until < ?
''',
(author_id, forum_id, title, text, time, time, time, author_id, time)
""",
(author_id, forum_id, title, text, time, time, time, author_id, time),
)
rowid = c.lastrowid
if rowid is None:
return None
db.commit()
return db.execute('''
return db.execute(
"""
select thread_id
from threads
where rowid = ?
''',
(rowid,)
""",
(rowid,),
).fetchone()
def delete_thread(self, user_id, thread_id):
db = self._db()
c = db.cursor()
c.execute('''
c.execute(
"""
delete
from threads
-- 1 = moderator, 2 = admin
@@ -284,8 +382,8 @@ class DB:
author_id = ?
or (select 1 from users where user_id = ? and (role = 1 or role = 2))
)
''',
(thread_id, user_id, user_id)
""",
(thread_id, user_id, user_id),
)
db.commit()
return c.rowcount > 0
@@ -293,7 +391,8 @@ class DB:
def delete_comment(self, user_id, comment_id):
db = self._db()
c = db.cursor()
c.execute('''
c.execute(
"""
delete
from comments
where comment_id = ?
@@ -304,8 +403,8 @@ class DB:
)
-- Don't allow deleting comments with children
and (select 1 from comments where parent_id = ?) is null
''',
(comment_id, user_id, user_id, comment_id)
""",
(comment_id, user_id, user_id, comment_id),
)
db.commit()
return c.rowcount > 0
@@ -313,21 +412,23 @@ class DB:
def add_comment_to_thread(self, thread_id, author_id, text, time):
db = self._db()
c = db.cursor()
c.execute('''
c.execute(
"""
insert into comments(thread_id, author_id, text, create_time, modify_time)
select ?, ?, ?, ?, ?
from threads, users
where thread_id = ? and user_id = ? and banned_until < ?
''',
(thread_id, author_id, text, time, time, thread_id, author_id, time)
""",
(thread_id, author_id, text, time, time, thread_id, author_id, time),
)
if c.rowcount > 0:
c.execute('''
c.execute(
"""
update threads
set update_time = ?
where thread_id = ?
''',
(time, thread_id)
""",
(time, thread_id),
)
db.commit()
return True
@@ -336,16 +437,18 @@ class DB:
def add_comment_to_comment(self, parent_id, author_id, text, time):
db = self._db()
c = db.cursor()
c.execute('''
c.execute(
"""
insert into comments(thread_id, parent_id, author_id, text, create_time, modify_time)
select thread_id, ?, ?, ?, ?, ?
from comments, users
where comment_id = ? and user_id = ? and banned_until < ?
''',
(parent_id, author_id, text, time, time, parent_id, author_id, time)
""",
(parent_id, author_id, text, time, time, parent_id, author_id, time),
)
if c.rowcount > 0:
c.execute('''
c.execute(
"""
update threads
set update_time = ?
where threads.thread_id = (
@@ -353,8 +456,8 @@ class DB:
from comments c
where comment_id = ?
)
''',
(time, parent_id)
""",
(time, parent_id),
)
db.commit()
return True
@@ -363,7 +466,8 @@ class DB:
def modify_thread(self, thread_id, user_id, title, text, time):
db = self._db()
c = db.cursor()
c.execute('''
c.execute(
"""
update threads
set title = ?, text = ?, modify_time = ?
where thread_id = ? and (
@@ -371,13 +475,17 @@ class DB:
-- 1 = moderator, 2 = admin
or (select 1 from users where user_id = ? and (role = 1 or role = 2))
)
''',
""",
(
title, text, time,
title,
text,
time,
thread_id,
user_id, user_id, time,
user_id,
)
user_id,
time,
user_id,
),
)
if c.rowcount > 0:
db.commit()
@@ -387,7 +495,8 @@ class DB:
def modify_comment(self, comment_id, user_id, text, time):
db = self._db()
c = db.cursor()
c.execute('''
c.execute(
"""
update comments
set text = ?, modify_time = ?
where comment_id = ? and (
@@ -395,13 +504,16 @@ class DB:
-- 1 = moderator, 2 = admin
or (select 1 from users where user_id = ? and (role = 1 or role = 2))
)
''',
""",
(
text, time,
text,
time,
comment_id,
user_id, user_id, time,
user_id,
)
user_id,
time,
user_id,
),
)
if c.rowcount > 0:
db.commit()
@@ -409,19 +521,20 @@ class DB:
return False
def register_user(self, username, password, time):
'''
"""
Add a user if registrations are enabled.
'''
"""
try:
db = self._db()
c = db.cursor()
c.execute('''
c.execute(
"""
insert into users(name, password, join_time)
select lower(?), ?, ?
from config
where registration_enabled = 1
''',
(username, password, time)
""",
(username, password, time),
)
if c.rowcount > 0:
db.commit()
@@ -429,12 +542,13 @@ class DB:
# up by name.
# ROWID is *probably* not always consistent (race conditions).
# Ideally we get the ID immediately on insert.
return c.execute('''
return c.execute(
"""
select user_id
from users
where name = lower(?)
''',
(username,)
""",
(username,),
).fetchone()
return None
except sqlite3.IntegrityError:
@@ -442,17 +556,18 @@ class DB:
return None
def add_user(self, username, password, time):
'''
"""
Add a user without checking if registrations are enabled.
'''
"""
try:
db = self._db()
c = db.cursor()
c.execute('''
c.execute(
"""
insert into users(name, password, join_time)
values (lower(?), ?, ?)
''',
(username, password, time)
""",
(username, password, time),
)
if c.rowcount > 0:
db.commit()
@@ -463,90 +578,102 @@ class DB:
return False
def get_users(self):
return self._db().execute('''
return self._db().execute(
"""
select user_id, name, join_time, role, banned_until
from users
''',
""",
)
def set_forum_name(self, forum_id, name):
return self.change_one('''
return self.change_one(
"""
update forums
set name = ?
where forum_id = ?
''',
(name, forum_id)
""",
(name, forum_id),
)
def set_forum_description(self, forum_id, description):
return self.change_one('''
return self.change_one(
"""
update forums
set description = ?
where forum_id = ?
''',
(description, forum_id)
""",
(description, forum_id),
)
def add_forum(self, name, description):
db = self._db()
db.execute('''
db.execute(
"""
insert into forums(name, description)
values (?, ?)
''',
(name, description)
""",
(name, description),
)
db.commit()
def set_config(self, server_name, server_description, registration_enabled):
return self.change_one('''
def set_config(
self, server_name, server_description, registration_enabled, login_required
):
return self.change_one(
"""
update config
set name = ?, description = ?, registration_enabled = ?
''',
(server_name, server_description, registration_enabled)
set name = ?, description = ?, registration_enabled = ?, login_required = ?
""",
(server_name, server_description, registration_enabled, login_required),
)
def set_config_secrets(self, secret_key, captcha_key):
return self.change_one('''
return self.change_one(
"""
update config
set secret_key = ?, captcha_key = ?
''',
(secret_key, captcha_key)
""",
(secret_key, captcha_key),
)
def set_user_ban(self, user_id, until):
return self.change_one('''
return self.change_one(
"""
update users
set banned_until = ?
where user_id = ?
''',
(until, user_id)
""",
(until, user_id),
)
def set_user_role(self, user_id, role):
return self.change_one('''
return self.change_one(
"""
update users
set role = ?
where user_id = ?
''',
(role, user_id)
""",
(role, user_id),
)
def set_thread_hidden(self, thread_id, hide):
return self.change_one('''
return self.change_one(
"""
update threads
set hidden = ?
where thread_id = ?
''',
(hide, thread_id)
""",
(hide, thread_id),
)
def set_comment_hidden(self, comment_id, hide):
return self.change_one('''
return self.change_one(
"""
update comments
set hidden = ?
where comment_id = ?
''',
(hide, comment_id)
""",
(hide, comment_id),
)
def change_one(self, query, values):

4
init_sqlite.sh
View File

@@ -35,7 +35,8 @@ $SQLITE "$1" -init schema.txt "insert into config (
description,
secret_key,
captcha_key,
registration_enabled
registration_enabled,
login_required
)
values (
'agreper-v0.1.1',
@@ -43,6 +44,7 @@ values (
'',
'$(head -c 30 /dev/urandom | base64)',
'$(head -c 30 /dev/urandom | base64)',
0,
0
)"
if [ "$2" != --no-admin ]

640
main.py
View File

File diff suppressed because it is too large Load Diff

50
minimd.py
View File

@@ -1,58 +1,70 @@
#!/usr/bin/env python3
import re
import markdown2
# https://stackoverflow.com/a/6041965
RE_URL = re.compile(r'(https?://([\w_-]+(?:(?:\.[\w_-]+)+))([\w.,@?^=%&:/~+#-]*[\w@?^=%&/~+#-]))')
RE_EM = re.compile(r'\*(.*?)\*')
RE_LIST = re.compile(r'(-|[0-9]\.) .*')
RE_URL = re.compile(
r"(https?://([\w_-]+(?:(?:\.[\w_-]+)+))([\w.,@?^=%&:/~+#-]*[\w@?^=%&/~+#-]))"
)
RE_EM = re.compile(r"\*(.*?)\*")
RE_LIST = re.compile(r"(-|[0-9]\.) .*")
RE_PLAINURL = re.compile(
r"([ |\n])(https?://([\w_-]+(?:(?:\.[\w_-]+)+))([\w.,@?^=%&:/~+#-]*[\w@?^=%&/~+#-]))[^\)]"
)
def html(text):
text = RE_PLAINURL.sub(r'\1[\2](\2)', text)
return markdown2.markdown(text)
def html_old(text):
# Replace angle brackets to prevent XSS
# Also replace ampersands to prevent surprises.
text = text.replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;')
text = text.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")
html = ['<p>']
lines = text.split('\n')
html = ["<p>"]
lines = text.split("\n")
in_code = False
in_list = False
for l in lines:
if l == '':
if l == "":
in_list = False
if in_code:
html.append('</pre>')
html.append("</pre>")
in_code = False
html.append('</p><p>')
html.append("</p><p>")
continue
if l.startswith(' '):
if l.startswith(" "):
in_list = False
l = l[2:]
if not in_code:
html.append('<pre>')
html.append("<pre>")
in_code = True
html.append(l)
continue
if in_code:
html.append('</pre>')
html.append("</pre>")
in_code = False
l = RE_EM.sub(r'<em>\1</em>', l)
l = RE_EM.sub(r"<em>\1</em>", l)
l = RE_URL.sub(r'<a href="\1">\1</a>', l)
if RE_LIST.match(l):
if in_list:
html.append('<br>')
html.append("<br>")
in_list = True
else:
in_list = False
html.append(l)
if in_code:
html.append('</pre>')
html.append('</p>')
return '\n'.join(html)
html.append("</pre>")
html.append("</p>")
return "\n".join(html)
if __name__ == '__main__':
if __name__ == "__main__":
import sys
print(html(sys.stdin.read()))
print(html_old(sys.stdin.read()))

4
password.py
View File

@@ -1,9 +1,9 @@
import passlib.hash
def hash(password):
return passlib.hash.argon2.hash(password)
def verify(password, hash):
return passlib.hash.argon2.verify(password, hash)

1
requirements.txt
View File

@@ -2,3 +2,4 @@ argon2-cffi==21.3.0
Flask==2.2.2
gunicorn==20.1.0
passlib==1.7.4
markdown2==2.4.9

3
schema.txt
View File

@@ -4,7 +4,8 @@ create table config (
description text not null,
secret_key text not null,
captcha_key text not null,
registration_enabled boolean not null
registration_enabled boolean not null,
login_required boolean not null
);
create table users (

4
templates/admin/index.html
View File

@@ -21,6 +21,10 @@
<td>Registration enabled</td>
<td><input name=registration_enabled type=checkbox {{ 'checked' if config.registration_enabled else '' }}></td>
</tr>
<tr>
<td>Login required</td>
<td><input name=login_required type=checkbox {{ 'checked' if config.login_required else '' }}></td>
</tr>
</table>
<input type=submit value=Update>
</form>

2
templates/comments.html
View File

@@ -2,7 +2,7 @@
{% from 'comment.html' import render_comment, render_comment_pre, render_comment_post, reply with context %}
{% block content %}
<p><span> &laquo; </span><a href="{{ url_for('forum', forum_id = forum_id) }}">{{ forum_title }}</a><span> &laquo; </span><a href="{{ url_for('thread', thread_id = thread_id) }}">{{ title }}</a></p>
{{ render_comment_pre(reply_comment, thread_id, comments | length == 0) }}
{{ reply() }}

2
templates/forum.html
View File

@@ -11,7 +11,7 @@
{% block content -%}
<p>{{ minimd(description) | safe }}</p>
<p><a href="{{ url_for('new_thread', forum_id = forum_id) }}">Create thread</a></p>
<p><span> &laquo; </span><a href="{{ url_for('index') }}">Forum list</a><span> | </span><a href="{{ url_for('new_thread', forum_id = forum_id) }}">Create thread</a></p>
{{- nav() -}}
<table>
<tr>

1
templates/thread.html
View File

@@ -3,6 +3,7 @@
{%- from 'moderator.html' import moderate_thread with context %}
{%- block content %}
<p><span> &laquo; </span><a href="{{ url_for('forum', forum_id = forum_id) }}">{{ forum_title }}</a></p>
{%- if user is not none and user.is_moderator() -%}
<p>{{ moderate_thread(thread_id, hidden) }}</p>
{%- endif -%}

13
tool.py
View File

@@ -2,24 +2,27 @@
import sys, password
def arg(i, s):
if i < len(sys.argv):
return sys.argv[i]
print(s)
sys.exit(1)
def arg_last(i, s):
if i == len(sys.argv) - 1:
return sys.argv[i]
print(s)
sys.exit(1)
proc = 'tool.py' if len(sys.argv) < 1 else sys.argv[0]
cmd = arg(1, f'usage: {proc} <command> [...]')
if cmd == 'password':
pwd = arg_last(2, 'usage: {proc} password <pwd>')
proc = "tool.py" if len(sys.argv) < 1 else sys.argv[0]
cmd = arg(1, f"usage: {proc} <command> [...]")
if cmd == "password":
pwd = arg_last(2, "usage: {proc} password <pwd>")
print(password.hash(pwd))
else:
print('unknown command ', cmd)
print("unknown command ", cmd)
sys.exit(1)