added a small bcrypt secret to protect edit pages

4 years ago · acc7d0da1a
10 changed files with 121 additions and 12 deletions
--- a/library/borrowform.py
+++ b/library/borrowform.py
@ -0,0 +1,33 @@
+"""Form object declaration."""
+from flask_wtf import FlaskForm
+from wtforms import (
+    StringField,
+    SubmitField,
+)
+from wtforms import validators
+from wtforms.validators import Length
+
+
+
+class BorrowForm(FlaskForm):
+    """Borrow a book form."""
+
+    borrowed = StringField(
+        "Fill in your name if you're going to borrow this publication.",
+        [
+            validators.InputRequired(),
+            Length(
+                min=3, message="Just so we know who is borrowing this book."
+            ),
+        ],
+    )
+    secret = StringField(
+        "Librarians secret:",
+        [
+            validators.InputRequired(),
+            Length(
+                min=2, message="Fill in the secret to unlock to library."
+            ),
+        ],
+    )
+    submit = SubmitField("Borrow")
--- a/library/csvparser/varlib.csv
+++ b/library/csvparser/varlib.csv
@ -1,6 +1,6 @@
 Id,Publication,Author,Year,Custodian,Fields,Type,Publishers,License,LicenseShort,Highlights,Comments,Currently borrowed by
 1,The Economics of Anarchism,Anarcho,2012,Varia,"Economics, Anarchism",Zine,theanarchistlibrary.org,Anti-copyright,Anti-copyright,"The labourer retains, even after  he has recieved his wages, a natural right in the thing he has produced",,No one
-2,Identity Politics - An Anthology,The Anarchist Library,,Varia,Identity politics,Zine,Paper Jam Collective,No license mentioned,No license mentioned,,me,
+2,Identity Politics - An Anthology,The Anarchist Library,,Varia,Identity politics,Zine,Paper Jam Collective,No license mentioned,No license mentioned,,me,Danny
 3,The mythology of work,CrimeThinc.com,,Varia,"Work, Anticapitalism",Zine,CrimeThinc.com,No license mentioned,No license mentioned,,"A selection from 'Work', a 376-page analysis of contemporary capitalism",
 4,Forget Shorter Showers - Why Personal Change Does Not Equal Political Change,Derrick Jensen,2009,Varia,Environmental justice,Zine,,No license mentioned,No license mentioned,Green consumerism isn't enough.,,
 5,Choreo-Graphic-Hypothesis,"<meta-author=""Joana Chicau"";>",2018,Varia,"Live Coding, Choreography",Paperback,Self published: Joana Chicau,Free Art License 1.3,Free Art License,"Theatrical actions are not necessary to the performance, Avoid if at all possible",,
@ -52,3 +52,4 @@ Id,Publication,Author,Year,Custodian,Fields,Type,Publishers,License,LicenseShort
 60,Networks of one's own #1: Etherbox,"Michael Murtaugh, An Mertens, Roel Roscam Abbing, Femke Snelting",2018,Varia,"Networks, Digital Infrastructures, DIY, DIWO, Executable publication, Experimental Publishing, wireless",Paperback,Constant Verlag,Copyleft,Copyleft,,,
 61,Mots de la cage aux ours - woorden uit de berenkuil,Constant,2012,Varia,"words, language, Bruxelles",Softcover,Constant,Copyleft,Copyleft,,,
 62,Snake rituals and switching circuits,Florian Cramer,2009,Danny,"mass communication, personal communication, new media",paperback,Piet Zwart Institute,Creative Commons Attribution-Share Alike 3.0,Creative Commons,The function of a medium is ultimately decided by its users and not by its creators,,
+63,Magium issue 1: On Eating in isolation,Alice Strete,2020,Varia,"food, sharing, personal stories, consumption",zine,Self Published,Free Art License,Free Art License,,,Danny
--- a/library/page.py
+++ b/library/page.py
@ -5,6 +5,7 @@ import flask
 from requests import get
 from icalendar import Calendar
 import datetime
+import bcrypt
 from flask import (
    render_template,
    redirect,
@ -12,6 +13,7 @@ from flask import (
 )
 from rnrfeed.rnrfeeder import getevents, getlatestevent
 from uploadform import PublicationForm
+from borrowform import BorrowForm
 from csvparser.csvparser import (
    getlicenses,
    getpublications,
@ -19,6 +21,7 @@ from csvparser.csvparser import (
    getyears,
    getfullpublication,
    writepublication,
+    editborrowedby,
 )
 from flask_wtf.csrf import CSRFProtect

@ -50,7 +53,8 @@ def index():
 def upload():
    uploadform = PublicationForm()
    if request.method == 'POST':
-        if uploadform.validate_on_submit():
+        if (uploadform.validate_on_submit() and
+                checksecret(uploadform.secret.data)):
            id = writepublication(uploadform)
            return redirect(str(id), code=303)
        else:
@ -59,12 +63,29 @@ def upload():
    return render_template("upload.html", uploadform=uploadform)


-@APP.route("/<publicationID>")
+@APP.route("/<publicationID>", methods=["GET", "POST"])
 def show_book(publicationID):
    """route for a publication, still needs to be made"""
    fullpublication = getfullpublication(publicationID)
-    # parse csv, render template with full list.
-    return render_template("publication.html", fullpublication=fullpublication)
+    borrowform = BorrowForm()
+    if request.method == 'POST':
+        if (borrowform.validate_on_submit() and
+                checksecret(borrowform.secret.data)):
+            editborrowedby(publicationID, borrowform.borrowed.data)
+            fullpublication["Borrowed"] = borrowform.borrowed.data
+            return render_template(
+                        "publication.html",
+                        fullpublication=fullpublication,
+                        publicationID=publicationID,
+                        borrowform=borrowform
+                        )
+    # return a full publication with or without form errors
+    return render_template(
+                "publication.html",
+                fullpublication=fullpublication,
+                publicationID=publicationID,
+                borrowform=borrowform
+                )


@APP.route("/pastevents")
@ -100,6 +121,15 @@ def upcoming_or_latest():
    return dict(upcoming=upcoming)


+def checksecret(secret):
+    with open("secret") as f:
+        secrethash = f.readline().rstrip()
+        if bcrypt.checkpw(secret.encode("utf-8"), secrethash.encode("utf-8")):
+            return True
+        else:
+            return False
+
+
 if __name__ == "__main__":
    APP.debug = True
    APP.run(port=5000)
--- a/library/secret
+++ b/library/secret
@ -0,0 +1 @@
+$2b$12$kZC/e1smAiBCntQxLUpsZ.H0Y5VkWG/YLt18wIdGmONtijkXYaVsO
--- a/library/static/css/style.css
+++ b/library/static/css/style.css
@ -69,6 +69,7 @@ body:after {

 #bookshelf > div > a {
  color: black;
+  text-decoration: none;
 }

 #publication {
@ -87,7 +88,7 @@ body:after {

 .event {
  margin: 0 1em 1em;
-  max-width: 90%;
+  max-width: calc(90% - 3em);
  margin-top: 3em;
  padding: 6px;
  display: block;
--- a/library/static/css/upload.css
+++ b/library/static/css/upload.css
@ -15,7 +15,7 @@

 .uploadform-field {
  margin: 0;
-  padding: 1em;
+  padding: 1em 0em 1em 0em;
 }

 input[type=text], select {
@ -25,7 +25,6 @@ input[type=text], select {
  margin: 1em 0;
  display: inline-block;
  border: 1px solid #ccc;
-  border-radius: 4px;
  box-sizing: border-box;
 }

@ -34,12 +33,16 @@ input[type=submit] {
  text-align: right;
  color: white;
  padding: 1em 3em;
-  margin: 1em 1em;
  border: none;
-  border-radius: 4px;
  cursor: pointer;
 }

 input[type=submit]:hover {
  background-color: #404d81;
 }
+
+fieldset{
+  border:0 none;
+  padding-top: 0em;
+  padding-left: 0em;
+}
--- a/library/templates/publication.html
+++ b/library/templates/publication.html
@ -47,8 +47,30 @@
      <td><p>{{ fullpublication["Comments"] }}</p></td>
    </tr>
    <tr>
-      <td>Currently borrowed by</td>
-      <td>No one</td>
+      <td>Currently borrowed by:</td>
+      <td><p>{{ fullpublication["Borrowed"] }}</p></td>
+    </tr>
+    <tr>
+      <td colspan="2">
+        <form class="borrow" method="POST" action="/{{ publicationID }}">
+          {{ borrowform.csrf_token }}
+          <fieldset class="borrowform-field">
+              {{ borrowform.borrowed.label }}
+              {{ borrowform.borrowed }}
+              {% for message in borrowform.borrowed.errors %}
+               <div class="error">{{ message }}</div>
+              {% endfor %}
+          </fieldset>
+          <fieldset class="borrowform-field">
+              {{ borrowform.secret.label }}
+              {{ borrowform.secret }}
+              {% for message in borrowform.secret.errors %}
+               <div class="error">{{ message }}</div>
+              {% endfor %}
+          </fieldset>
+          {{ borrowform.submit }}
+        <form>
+      </td>
    </tr>
  </tbody>
 </table>
--- a/library/templates/upload.html
+++ b/library/templates/upload.html
@ -89,6 +89,14 @@
 					{{ uploadform.borrowed }}
 			</fieldset>

+			<fieldset class="borrowform-field">
+					{{ uploadform.secret.label }}
+					{{ uploadform.secret }}
+					{% for message in uploadform.secret.errors %}
+					 <div class="error">{{ message }}</div>
+					{% endfor %}
+			</fieldset>
+
 			{{ uploadform.submit }}

 	</form>
--- a/library/uploadform.py
+++ b/library/uploadform.py
@ -77,4 +77,13 @@ class PublicationForm(FlaskForm):
    highlights = TextField("Highlights from the publication:")
    comments = TextField("Comments on the publication:")
    borrowed = StringField("Currently borrowed by:")
+    secret = StringField(
+        "Librarians secret:",
+        [
+            validators.InputRequired(),
+            Length(
+                min=2, message="Fill in the secret to unlock to library."
+            ),
+        ],
+    )
    submit = SubmitField("Submit")
--- a/requirements.txt
+++ b/requirements.txt
@ -3,3 +3,4 @@ feedparser
 flask
 flask_wtf
 requests
+bcrypt
			`@ -0,0 +1 @@`
			`$2b$12$kZC/e1smAiBCntQxLUpsZ.H0Y5VkWG/YLt18wIdGmONtijkXYaVsO`