clean stale sessions

prevent admin from deleting their account
2025-12-20 20:11:44 +03:00 · 2025-12-20 19:05:01 +03:00
2 changed files with 30 additions and 2 deletions
--- a/app/init.py
+++ b/app/init.py
@@ -1,6 +1,6 @@
 from flask import Flask, session, request, render_template
 from dotenv import load_dotenv
-from .models import Avatars, Users, PostHistory, Posts, MOTD, BadgeUploads
+from .models import Avatars, Users, PostHistory, Posts, MOTD, BadgeUploads, Sessions
 from .auth import digest
 from .routes.users import is_logged_in, get_active_user, get_prefers_theme
 from .constants import (
@@ -138,6 +138,16 @@ def bind_default_badges(path):
                    'uploaded_at': int(os.path.getmtime(real_path)),
                })

+def clear_stale_sessions():
+    from .db import db
+    with db.transaction():
+        now = int(time.time())
+        stale_sessions = Sessions.findall([
+            ('expires_at', '<', now)
+        ])
+        for sess in stale_sessions:
+            sess.delete()
+

 cache = Cache()

@@ -226,6 +236,8 @@ def create_app():
        create_admin()
        create_deleted_user()

+        clear_stale_sessions()
+
        reparse_babycode()

        bind_default_badges(app.config['BADGES_PATH'])
--- a/app/routes/users.py
+++ b/app/routes/users.py
@@ -74,7 +74,17 @@ def validate_and_create_badge(input_image, filename):
        return False

 def is_logged_in():
-    return "pyrom_session_key" in session
+    if "pyrom_session_key" not in session:
+        return False
+    sess = Sessions.find({"key": session["pyrom_session_key"]})
+    if not sess:
+        return False
+    if sess.expires_at < int(time.time()):
+        session.clear()
+        sess.delete()
+        flash('Your session expired.;Please log in again.', InfoboxKind.INFO)
+        return False
+    return True


 def get_active_user():
@@ -83,6 +93,8 @@ def get_active_user():
    sess = Sessions.find({"key": session["pyrom_session_key"]})
    if not sess:
        return None
+    if sess.expires_at < int(time.time()):
+        return None
    return Users.find({"id": sess.user_id})


@@ -884,6 +896,10 @@ def delete_page_confirm(username):
        flash('Incorrect password.', InfoboxKind.ERROR)
        return redirect(url_for('.delete_page', username=username))

+    if target_user.is_admin():
+        flash('You cannot delete the admin account.', InfoboxKind.ERROR)
+        return redirect(url_for('.delete_page', username=username))
+
    anonymize_user(target_user.id)
    sessions = Sessions.findall({'user_id': int(target_user.id)})
    for session_obj in sessions:
Author	SHA1	Message	Date
Lera Elvoé	40219f2b54	clean stale sessions	2025-12-20 20:11:44 +03:00
Lera Elvoé	4a45b62521	prevent admin from deleting their account	2025-12-20 19:05:01 +03:00