yagich/pyrom
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add a @redirect_to_own decorator in users app

Browse Source
This commit is contained in:
Lera Elvoé
2025-12-03 08:08:05 +03:00
parent a7876ca410
commit 9951ed3fae
1 changed files with 27 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
app/routes/users.py
View File

@@ -68,6 +68,7 @@ def create_session(user_id):
"expires_at": int(time.time()) + 31 * 24 * 60 * 60, "expires_at": int(time.time()) + 31 * 24 * 60 * 60,
}) })
def extend_session(user_id): def extend_session(user_id):
session_obj = Sessions.find({'key': session['pyrom_session_key']}) session_obj = Sessions.find({'key': session['pyrom_session_key']})
if not session_obj: if not session_obj:
@@ -121,6 +122,19 @@ def redirect_if_logged_in(*args, **kwargs):
return decorator return decorator
def redirect_to_own(view_func):
@wraps(view_func)
def wrapper(username, *args, **kwargs):
user = get_active_user()
if username.lower() != user.username:
view_args = dict(request.view_args)
view_args.pop('username', None)
new_args = {**view_args, 'username': user.username}
return redirect(url_for(request.endpoint, **new_args))
return view_func(username, *args, **kwargs)
return wrapper
def login_required(view_func): def login_required(view_func):
@wraps(view_func) @wraps(view_func)
def wrapper(*args, **kwargs): def wrapper(*args, **kwargs):
@@ -302,16 +316,14 @@ def page(username):
@bp.get("/<username>/settings") @bp.get("/<username>/settings")
@login_required @login_required
@redirect_to_own
def settings(username): def settings(username):
target_user = Users.find({'username': username.lower()})
if target_user.id != get_active_user().id:
return redirect('.settings', username = get_active_user().username)
return render_template('users/settings.html') return render_template('users/settings.html')
@bp.post('/<username>/settings') @bp.post('/<username>/settings')
@login_required @login_required
@redirect_to_own
def settings_form(username): def settings_form(username):
# we silently ignore the passed username # we silently ignore the passed username
# and grab the correct user from the session # and grab the correct user from the session
@@ -367,6 +379,7 @@ def settings_form(username):
@bp.post('/<username>/set_avatar') @bp.post('/<username>/set_avatar')
@login_required @login_required
@redirect_to_own
def set_avatar(username): def set_avatar(username):
user = get_active_user() user = get_active_user()
if user.is_guest(): if user.is_guest():
@@ -410,6 +423,7 @@ def set_avatar(username):
@bp.post('/<username>/change_password') @bp.post('/<username>/change_password')
@login_required @login_required
@redirect_to_own
def change_password(username): def change_password(username):
user = get_active_user() user = get_active_user()
password = request.form.get('new_password') password = request.form.get('new_password')
@@ -432,6 +446,7 @@ def change_password(username):
@bp.post('/<username>/clear_avatar') @bp.post('/<username>/clear_avatar')
@login_required @login_required
@redirect_to_own
def clear_avatar(username): def clear_avatar(username):
user = get_active_user() user = get_active_user()
if user.is_default_avatar(): if user.is_default_avatar():
@@ -524,11 +539,9 @@ def guest_user(user_id):
@bp.get("/<username>/inbox") @bp.get("/<username>/inbox")
@login_required @login_required
@redirect_to_own
def inbox(username): def inbox(username):
user = get_active_user() user = get_active_user()
if username.lower() != user.username:
return redirect(url_for(".inbox", username = user.username))
new_posts = [] new_posts = []
subscription = Subscriptions.find({"user_id": user.id}) subscription = Subscriptions.find({"user_id": user.id})
all_subscriptions = None all_subscriptions = None
@@ -666,6 +679,7 @@ def reset_link_login_form(key):
@bp.get('/<username>/invite-links/') @bp.get('/<username>/invite-links/')
@login_required @login_required
@redirect_to_own
def invite_links(username): def invite_links(username):
target_user = Users.find({ target_user = Users.find({
'username': username.lower() 'username': username.lower()
@@ -673,9 +687,6 @@ def invite_links(username):
if not target_user or not target_user.can_invite(): if not target_user or not target_user.can_invite():
return redirect(url_for('.page', username=username)) return redirect(url_for('.page', username=username))
if target_user.username != get_active_user().username:
return redirect(url_for('.invite_links', username=target_user.username))
invites = InviteKeys.findall({ invites = InviteKeys.findall({
'created_by': target_user.id 'created_by': target_user.id
}) })
@@ -685,6 +696,7 @@ def invite_links(username):
@bp.post('/<username>/invite-links/create') @bp.post('/<username>/invite-links/create')
@login_required @login_required
@redirect_to_own
def create_invite_link(username): def create_invite_link(username):
target_user = Users.find({ target_user = Users.find({
'username': username.lower() 'username': username.lower()
@@ -692,9 +704,6 @@ def create_invite_link(username):
if not target_user or not target_user.can_invite(): if not target_user or not target_user.can_invite():
return redirect(url_for('.page', username=username.lower())) return redirect(url_for('.page', username=username.lower()))
if target_user.username != get_active_user().username:
return redirect(url_for('.invite_links', username=target_user.username))
invite = InviteKeys.create({ invite = InviteKeys.create({
'created_by': target_user.id, 'created_by': target_user.id,
'key': secrets.token_urlsafe(20), 'key': secrets.token_urlsafe(20),
@@ -705,6 +714,7 @@ def create_invite_link(username):
@bp.post('/<username>/invite-links/revoke') @bp.post('/<username>/invite-links/revoke')
@login_required @login_required
@redirect_to_own
def revoke_invite_link(username): def revoke_invite_link(username):
target_user = Users.find({ target_user = Users.find({
'username': username.lower() 'username': username.lower()
@@ -712,9 +722,6 @@ def revoke_invite_link(username):
if not target_user or not target_user.can_invite(): if not target_user or not target_user.can_invite():
return redirect(url_for('.page', username=username.lower())) return redirect(url_for('.page', username=username.lower()))
if target_user.username != get_active_user().username:
return redirect(url_for('.invite_links', username=target_user.username))
invite = InviteKeys.find({ invite = InviteKeys.find({
'key': request.form.get('key'), 'key': request.form.get('key'),
}) })
@@ -732,10 +739,9 @@ def revoke_invite_link(username):
@bp.get('/<username>/bookmarks') @bp.get('/<username>/bookmarks')
@login_required @login_required
@redirect_to_own
def bookmarks(username): def bookmarks(username):
target_user = Users.find({'username': username.lower()}) target_user = get_active_user()
if not target_user or target_user.username != get_active_user().username:
return redirect(url_for('.bookmarks', username=get_active_user().username))
collections = target_user.get_bookmark_collections() collections = target_user.get_bookmark_collections()
@@ -744,10 +750,9 @@ def bookmarks(username):
@bp.get('/<username>/bookmarks/collections') @bp.get('/<username>/bookmarks/collections')
@login_required @login_required
@redirect_to_own
def bookmark_collections(username): def bookmark_collections(username):
target_user = Users.find({'username': username.lower()}) target_user = get_active_user()
if not target_user or target_user.username != get_active_user().username:
return redirect(url_for('.bookmark_collections', username=get_active_user().username))
collections = target_user.get_bookmark_collections() collections = target_user.get_bookmark_collections()
return render_template('users/bookmark_collections.html', collections=collections) return render_template('users/bookmark_collections.html', collections=collections)