From 3b27788917b29f0c42b84c87f7e14ba38edbdf05 Mon Sep 17 00:00:00 2001 From: Johannes Schilling Date: Fri, 21 Apr 2017 18:17:42 +0200 Subject: [PATCH 1/3] dudel.wsgi: correctly find real path of the rest of the code previously, the abspath() of server.wsgi was added to the python import path. abspath() however only cleans up the given path string, with no filesystem interaction like resolving symlinks etc. some webservers (like apache2) require .wsgi files to be in an accessible location (like webroot), where for security you might not want to put your whole code, thus encouraging the use of symlinks. --- dudel.wsgi | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dudel.wsgi b/dudel.wsgi index a17cab7..55396e1 100644 --- a/dudel.wsgi +++ b/dudel.wsgi @@ -1,7 +1,10 @@ #!/usr/bin/env python2 import sys, os, datetime -path = os.path.dirname(os.path.abspath(__file__)) +# this file might be symlinked somewhere (e.g. apache2 needs .wsgi files +# in an accessible location like webroot), so we need to find the actual +# path for the rest of the code +path = os.path.dirname(os.path.realpath(__file__)) # Activate the virtual environment to load the library. # TODO: change this if your virtual environment is not located at ./env From 467d66fc217d456b25a61e55268be0999c1a78c7 Mon Sep 17 00:00:00 2001 From: Johannes Schilling Date: Wed, 16 Aug 2017 17:44:24 +0200 Subject: [PATCH 2/3] maybe add unique constraint to user.username i couldn't test this yet, so.. use with care --- dudel/models/user.py | 4 ++-- migrations/alembic.ini | 2 ++ ...d6add3ec469_add_some_unique_constraints.py | 24 +++++++++++++++++++ 3 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 migrations/versions/cd6add3ec469_add_some_unique_constraints.py diff --git a/dudel/models/user.py b/dudel/models/user.py index 6acd115..96ac06e 100644 --- a/dudel/models/user.py +++ b/dudel/models/user.py @@ -42,10 +42,10 @@ class User(Member): id = db.Column(db.Integer, db.ForeignKey("member.id"), primary_key=True) firstname = db.Column(db.String(80)) lastname = db.Column(db.String(80)) - username = db.Column(db.String(80)) + username = db.Column(db.String(80), unique=True) password = db.Column(db.LargeBinary) _displayname = db.Column(db.String(80)) - email = db.Column(db.String(80)) + email = db.Column(db.String(80), unique=True) preferred_language = db.Column(db.String(80)) autowatch = db.Column(db.Boolean, default=False) allow_invitation_mails = db.Column(db.Boolean, default=True) diff --git a/migrations/alembic.ini b/migrations/alembic.ini index f8ed480..3da0e42 100644 --- a/migrations/alembic.ini +++ b/migrations/alembic.ini @@ -8,6 +8,8 @@ # the 'revision' command, regardless of autogenerate # revision_environment = false +script_location = migrations + # Logging configuration [loggers] diff --git a/migrations/versions/cd6add3ec469_add_some_unique_constraints.py b/migrations/versions/cd6add3ec469_add_some_unique_constraints.py new file mode 100644 index 0000000..583007f --- /dev/null +++ b/migrations/versions/cd6add3ec469_add_some_unique_constraints.py @@ -0,0 +1,24 @@ +"""add some unique constraints + +Revision ID: cd6add3ec469 +Revises: 250e3d22d78e +Create Date: 2017-08-16 17:03:55.180080 + +""" + +# revision identifiers, used by Alembic. +revision = 'cd6add3ec469' +down_revision = '250e3d22d78e' + +from alembic import op +import sqlalchemy as sa + + +def upgrade(): + op.create_unique_constraint("unique_user_name", "user", + ["username"]) + op.create_unique_constraint("unique_user_email", "user", ["email"]) + +def downgrade(): + op.drop_constraint("unique_user_name") + op.drop_constraint("unique_user_email") From 0bebf73bc3f802e3217f66fdaeae542b10cb0949 Mon Sep 17 00:00:00 2001 From: Johannes Schilling Date: Wed, 16 Aug 2017 21:28:05 +0200 Subject: [PATCH 3/3] views: add check for duplicate username before, the code would just fail on the unique constraint for user.username --- dudel/views.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dudel/views.py b/dudel/views.py index 6ad9c31..e235ff8 100644 --- a/dudel/views.py +++ b/dudel/views.py @@ -123,6 +123,9 @@ def register(): if form.validate_on_submit(): user = User() form.populate_obj(user) + if get_user(user.username): + flash(gettext("Username already taken, sorry"), "error") + return redirect(url_for("register")) user.set_password(form.password1.data) db.session.add(user) db.session.commit()