Force lowercase username, remove from session

2022-10-08 15:42:04 +02:00
parent e9ef9140f0
commit 9acd5c0cdc
5 changed files with 26 additions and 12 deletions
--- a/db/sqlite.py
+++ b/db/sqlite.py
@@ -122,7 +122,7 @@ class DB:
        return self._db().execute('''
            select user_id, password
            from users
-            where name = ?
+            where name = lower(?)
            ''',
            (username,)
        ).fetchone()
@@ -138,7 +138,7 @@ class DB:
    def get_user_private_info(self, user_id):
        return self._db().execute('''
-            select about
+            select name, about
            from users
            where user_id = ?
            ''',
@@ -156,6 +156,15 @@ class DB:
        )
        db.commit()
    def get_user_name(self, user_id):
        return self._db().execute('''
            select name
            from users
            where user_id = ?
            ''',
            (user_id,)
        ).fetchone()
    def add_thread(self, author_id, forum_id, title, text, time):
        db = self._db()
        c = db.cursor()
@@ -288,7 +297,7 @@ class DB:
        c = db.cursor()
        c.execute('''
            insert into users(name, password, join_time)
-            values (?, ?, ?)
+            values (lower(?), ?, ?)
            ''',
            (username, password, time)
        )
--- a/main.py
+++ b/main.py
@@ -75,7 +75,6 @@ def login():
            if verify_password(request.form['password'], hash):
                flash('Logged in', 'success')
                session['user_id'] = id
                session['username'] = request.form['username']
                return redirect(url_for('index'))
        else:
            # Sleep to reduce effectiveness of bruteforce
@@ -98,12 +97,14 @@ def user_edit():
    if request.method == 'POST':
        about = request.form['about'].replace('\r', '')
        db.set_user_private_info(user_id, about)
        name, = db.get_user_name(user_id)
        flash('Updated profile', 'success')
    else:
-        about, = db.get_user_private_info(user_id)
+        name, about = db.get_user_private_info(user_id)
    return render_template(
        'user_edit.html',
-        name = session.get('username', '???'),
+        name = name,
        title = 'Edit profile',
        about = about
    )
--- a/templates/base.html
+++ b/templates/base.html
@@ -10,7 +10,7 @@
 		<a class=logo href="{{ url_for('index') }}">A</a>
 		<div style="margin:auto"></div>
 		{% if 'user_id' in session %}
-		<a href="{{ url_for('user_edit') }}">{{ session.get('username', '???') }}</a>
+		<a href="{{ url_for('user_edit') }}">User panel</a>
 		<span>|</span>
 		<a href="{{ url_for('logout') }}">Logout</a>
 		{% else %}
--- a/templates/user_edit.html
+++ b/templates/user_edit.html
@@ -1,9 +1,13 @@
 {% extends 'base.html' %}
 {% block content %}
 <p><a href="{{ url_for('user_info', user_id = session['user_id']) }}">View public profile</a></p>
 <form method="post">
-	<p>{{ name }}</p>
+<table>
-	<p><textarea name="about">{{ about }}</textarea></p>
+<tr><td>Username</td><td>{{ name }}</td></tr>
-	<p><input type="submit" value="Update"></p>
+<tr><td>ID</td><td>{{ session['user_id'] }}</td></tr>
 <tr><td>About</td><td><textarea name="about">{{ about }}</textarea></td></tr>
 </form>
 </table>
 <input type="submit" value="Update">
 {% endblock %}
--- a/test/init_db.txt
+++ b/test/init_db.txt
@@ -1,12 +1,12 @@
 insert into users (name, password, email, join_time) values (
-	"Foo",
+	"foo",
 	-- supasecret
 	"$argon2id$v=19$m=65536,t=3,p=4$qBWCEAKgdA4BYOy915qzlg$KhGy3UF0QMlplt2eB7r7QNL2kDcggXUimRWUrWql8sI",
 	"foo@bar.baz",
 	0
 );
 insert into users (name, password, email, join_time) values (
-	"Bar",
+	"bar",
 	-- abraca
 	"$argon2id$v=19$m=65536,t=3,p=4$klJKCUFoDaF07j3nPCeEUA$lCphd5n1YIs8MaVop2vGNirwknkh91qJIZHMuBOlgWA",
 	"bar@foo.baz",