From 9682295daecc00dff612f2283ebcf6435b37c135 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lera=20Elvo=C3=A9?= <yagich@poto.cafe>
Date: Sun, 19 Apr 2026 10:03:03 +0300
Subject: [PATCH] start user page and stub more endpoints

---
 app/routes/mod.py                  | 12 ++++
 app/routes/users.py                | 32 ++++++++--
 app/templates/users/user_page.html | 97 ++++++++++++++++++++++++++++++
 3 files changed, 135 insertions(+), 6 deletions(-)
 create mode 100644 app/templates/users/user_page.html

diff --git a/app/routes/mod.py b/app/routes/mod.py
index a2523f5..ce7b5b1 100644
--- a/app/routes/mod.py
+++ b/app/routes/mod.py
@@ -79,3 +79,15 @@ def sticky_thread(thread_id):
         abort(404)
     thread.update({'is_stickied': request.form.get('sticky')})
     return redirect(url_for('threads.thread', slug=thread.slug))
+
+@bp.post('/users/<int:user_id>/make-guest/')
+def make_user_guest(user_id):
+    return 'stub'
+
+@bp.post('/users/<int:user_id>/make-user/')
+def make_user_regular(user_id):
+    return 'stub'
+
+@bp.post('/users/<int:user_id>/make-mod/')
+def make_user_mod(user_id):
+    return 'stub'
diff --git a/app/routes/users.py b/app/routes/users.py
index e79ca5b..1bf248a 100644
--- a/app/routes/users.py
+++ b/app/routes/users.py
@@ -2,9 +2,10 @@ from flask import Blueprint, redirect, url_for, render_template, request, sessio
 from functools import wraps
 import time
 
-from ..auth import digest, verify, create_session, is_logged_in, parse_username, is_password_valid
+from ..auth import digest, verify, create_session, is_logged_in, parse_username, is_password_valid, login_required
 from ..models import Users
 from ..constants import PermissionLevel
+from secrets import compare_digest as compare_timesafe
 
 bp = Blueprint('users', __name__, url_prefix='/users/')
 
@@ -55,7 +56,7 @@ def sign_up_post():
     username = request.form.get('username', default='')
     if not username:
         return generic_error_page
-    if request.form.get('password', default=None) is None:
+    if request.form.get('password') is None:
         return generic_error_page
     if len(request.form.getlist('password')) != 2:
         return passwords_error_page
@@ -67,7 +68,7 @@ def sign_up_post():
     if potential_user:
         return invalid_username_error_page
 
-    if request.form.getlist('password')[0] != request.form.getlist('password')[1]:
+    if not compare_timesafe(request.form.getlist('password')[0], request.form.getlist('password')[1]):
         return passwords_error_page
 
     password_hash = digest(request.form.get('password'))
@@ -94,17 +95,36 @@ def sign_up_post():
 
 @bp.get('/<username>/')
 def user_page(username):
+    target_user = Users.find({'username': username})
+    if not target_user:
+        abort(404)
+    return render_template('users/user_page.html', target_user=target_user)
+
+@bp.get('/<username>/posts/')
+def posts(username):
     return 'stub'
 
-@bp.get('/<username>/settings')
+@bp.get('/<username>/threads/')
+def threads(username):
+    return 'stub'
+
+@bp.get('/<username>/comments/')
+def comments(username):
+    return 'stub'
+
+@bp.get('/<username>/settings/')
 def settings(username):
     return 'stub'
 
-@bp.get('/<username>/inbox')
+@bp.get('/<username>/inbox/')
 def inbox(username):
     return 'stub'
 
-@bp.get('/<username>/bookmarks')
+@bp.get('/<username>/bookmarks/')
 def bookmarks(username):
     return 'stub'
 
+@bp.post('/<username>/log_out/')
+@login_required
+def log_out(username):
+    return 'stub'
diff --git a/app/templates/users/user_page.html b/app/templates/users/user_page.html
new file mode 100644
index 0000000..a9dcf59
--- /dev/null
+++ b/app/templates/users/user_page.html
@@ -0,0 +1,97 @@
+{%- from 'common/macros.html' import subheader, timestamp, pager -%}
+{%- extends 'base.html' -%}
+{%- block title -%}{{ target_user.get_readable_name() }}'s profile{%- endblock -%}
+{%- set stats = target_user.get_post_stats() -%}
+{%- block content -%}
+{%- call() subheader("%s's profile" % target_user.get_readable_name()) -%}
+{%- if is_logged_in() -%}
+
+{%- if target_user.id == get_active_user().id -%}
+<fieldset class="plank even no-shadow minimal thread-actions">
+  <legend>Actions</legend>
+  <form action="{{url_for('users.log_out', username=target_user.username)}}" method="POST">
+    <input type="submit" class="warn" value="Log out">
+  </form>
+</fieldset>
+{%- endif -%}
+
+{%- if get_active_user().is_mod() and target_user.id != get_active_user().id -%}
+<fieldset class="plank even no-shadow minimal thread-actions">
+  <legend>Moderation actions</legend>
+  <form method="POST">
+    {%- if target_user.is_guest() -%}
+    <input class="warn" type="submit" value="Approve user" formaction="{{url_for('mod.make_user_regular', user_id=target_user.id)}}">
+    {%- else -%}
+    <input class="warn" type="submit" value="Demote to guest (soft ban)" formaction="{{url_for('mod.make_user_guest', user_id=target_user.id)}}">
+      {%- if get_active_user().is_admin() -%}
+        {%- if not target_user.is_mod_only() -%}
+        <input class="warn" type="submit" value="Promote to moderator" formaction="{{url_for('mod.make_user_mod', user_id=target_user.id)}}">
+        {%- else -%}
+        <input class="warn" type="submit" value="Demote from moderator" formaction="{{url_for('mod.make_user_regular', user_id=target_user.id)}}">
+        {%- endif -%}
+      {%- endif -%}
+    {%- endif -%}
+  </form>
+</fieldset>
+{%- endif -%}
+
+{%- endif -%}
+{%- endcall -%}
+<div class="userpage-usercard">
+  <div class="usercard plank even contrast-bg minimal no-shadow">
+    <div class="usercard-inner">
+      <img src="{{target_user.get_avatar_url()}}" class="avatar">
+    </div>
+  </div>
+  <div class="plank even minimal no-shadow user-stats">
+    <h3 class="info">{{target_user.get_readable_name()}}</h3>
+    <span>Display name: {{target_user.get_readable_name()}}</span>
+    <span>Mention: @{{target_user.username}}</span>
+    <span>Status: <em>{{target_user.status}}</em></span>
+    <span>Rank: {{target_user.permission | permission_string}}</span>
+    {%- set time = target_user.created_at -%}
+    {%- if target_user.approved_at -%}
+    {%- set time = target_user.approved_at -%}
+    {%- endif -%}
+    <span>Joined: {{timestamp(target_user.created_at)}}</span>
+    {%- if not target_user.is_guest() -%}
+    <span>Posts: <a href="{{url_for('users.posts', username=target_user.username)}}">{{stats.post_count}}</a></span>
+    <span>Threads started: <a href="{{url_for('users.threads', username=target_user.username)}}">{{stats.thread_count}}</a></span>
+    {%- set badges = target_user.get_badges() -%}
+
+    {%- if badges -%}
+    <div class="badges-container nocenter">
+      Badges:
+      {%- for badge in badges -%}
+      {%- if badge.link -%}<a href="{{badge.link}}">{%- endif -%}
+      <img src="{{badge.get_image_url()}}" alt="{{badge.label}}" title="{{badge.label}}" class="badge-button">
+      {%- if badge.link -%}</a>{%- endif -%}
+      {%- endfor -%}
+    </div>
+    {%- endif -%}
+    <fieldset class="plank secondary-bg minimal even no-shadow">
+      <legend>About me</legend>
+      <p>stub</p>
+    </fieldset>
+    {%- if target_user.signature_rendered -%}
+    <fieldset class="plank secondary-bg minimal even no-shadow">
+      <legend>Signature</legend>
+      {{target_user.signature_rendered | safe}}
+    </fieldset>
+    {%- endif -%}
+    {#
+    <fieldset class="plank secondary-bg minimal even no-shadow">
+      <legend>Profile comments</legend>
+      <fieldset class="plank minimal even no-shadow">
+        <legend>Page</legend>
+        {{pager(0, 3, url=url_for('users.log_in'))}}
+      </fieldset>
+      <div class="post plank">
+        <p>stub</p>
+      </div>
+    </fieldset>
+    #}
+    {%- endif -%}
+  </div>
+</div>
+{%- endblock -%}