moonq/qgreper
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix missing user_id check in delete_thread

Browse Source
This commit is contained in:
David Hoppenbrouwers
2022-10-07 19:26:15 +02:00
parent 09cb2df004
commit bf41a6771c
3 changed files with 23 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
db/sqlite.py
View File

@@ -131,16 +131,18 @@ class DB:
(rowid,) (rowid,)
).fetchone() ).fetchone()
def delete_thread(self, thread_id): def delete_thread(self, user_id, thread_id):
db = self._db() db = self._db()
db.execute(''' c = db.cursor()
c.execute('''
delete delete
from threads from threads
where thread_id = ? where thread_id = ? and author_id = ?
''', ''',
(thread_id,) (thread_id, user_id)
) )
db.commit() db.commit()
return c.rowcount > 0
def add_comment_to_thread(self, thread_id, author_id, text, time): def add_comment_to_thread(self, thread_id, author_id, text, time):
db = self._db() db = self._db()
@@ -153,9 +155,8 @@ class DB:
''', ''',
(thread_id, author_id, text, time, time, thread_id) (thread_id, author_id, text, time, time, thread_id)
) )
rowid = c.lastrowid
db.commit() db.commit()
return rowid is not None return c.rowcount > 0
def add_comment_to_comment(self, parent_id, author_id, text, time): def add_comment_to_comment(self, parent_id, author_id, text, time):
db = self._db() db = self._db()
@@ -170,9 +171,7 @@ class DB:
(parent_id, author_id, text, time, time, parent_id) (parent_id, author_id, text, time, time, parent_id)
) )
print(c.lastrowid) print(c.lastrowid)
rowid = c.lastrowid return c.rowcount > 0
db.commit()
return rowid is not None
def _db(self): def _db(self):
return sqlite3.connect(self.conn) return sqlite3.connect(self.conn)

9
main.py
View File

@@ -137,8 +137,15 @@ def confirm_delete_thread(thread_id):
@app.route('/thread/<int:thread_id>/delete/', methods = ['POST']) @app.route('/thread/<int:thread_id>/delete/', methods = ['POST'])
def delete_thread(thread_id): def delete_thread(thread_id):
db.delete_thread(thread_id) user_id = session.get('user_id')
if user_id is None:
return redirect(url_for('login'))
if db.delete_thread(user_id, thread_id):
flash('Thread has been deleted', 'success') flash('Thread has been deleted', 'success')
else:
flash('Thread could not be removed', 'error')
# TODO return 403, maybe?
return redirect(url_for('index')) return redirect(url_for('index'))
@app.route('/thread/<int:thread_id>/comment/', methods = ['POST']) @app.route('/thread/<int:thread_id>/comment/', methods = ['POST'])

6
static/theme.css
View File

@@ -85,6 +85,12 @@ table.form > * > tr > td, th {
} }
.flash.success { .flash.success {
background-color: lightgreen;
border-radius: 5px;
padding: 8px;
}
.flash.error {
background-color: #ff4646; background-color: #ff4646;
border-radius: 5px; border-radius: 5px;
padding: 8px; padding: 8px;