minor patches

2025-04-25 09:51:01 +01:00 · 2025-04-25 09:51:01 +01:00 · 630410797b
commit 630410797b
parent 439975ce96
6 changed files with 32 additions and 5 deletions
--- a/.gitignore
+++ b/.gitignore
@ -3,4 +3,5 @@ app.log
 __pycache__/
 database.db
 .env
-flask_session
+flask_session
+temp
--- a/src/html/board.html
+++ b/src/html/board.html
@ -9,6 +9,8 @@
    <p>{{ board.description }}</p>
    {% if board.owner_id == session.user_id %}
        <h6><a href="/boards/delete/{{ board.id }}">Delete Board</a></h6>
+    {% elif session.perms == "admin" %}
+        <h6><a href="/boards/delete/{{ board.id }}">Delete Board</a></h6>
    {% endif %}
    {% if session.user_id %}
        <br>
--- a/src/html/post.html
+++ b/src/html/post.html
@ -34,7 +34,7 @@
    {% endif %}
    <p>{{post.content}}</p>
    <h6>
-        {% if session.name == "SYSTEM" %}
+        {% if session.perms == "admin" %}
            <a href="/delete/post/{{ post.id }}">Delete</a>
        {% elif session.name == post.user.name %}
            <a href="/delete/post/{{ post.id }}">Delete</a>
--- a/src/html/templates/post.html
+++ b/src/html/templates/post.html
@ -20,7 +20,7 @@
        {% if post.replies > 0 %}
        ({{ post.replies }} replies)
        {% endif %}
-        {% if session.name == "SYSTEM" %}
+        {% if session.perms == "admin" %}
        | <a href="/delete/post/{{ post.id }}">Delete</a>
        {% elif session.name == post.user.name %}
        | <a href="/delete/post/{{ post.id }}">Delete</a>
--- a/src/html/templates/short_post.html
+++ b/src/html/templates/short_post.html
@ -20,7 +20,7 @@
        {% if post.replies > 0 %}
        ({{ post.replies }} replies)
        {% endif %}
-        {% if session.name == "SYSTEM" %}
+        {% if session.perms == "admin" %}
        | <a href="/delete/post/{{ post.id }}">Delete</a>
        {% elif session.name == post.user.name %}
        | <a href="/delete/post/{{ post.id }}">Delete</a>
--- a/src/main.py
+++ b/src/main.py
@ -20,7 +20,7 @@ console_log.setFormatter(logging.Formatter("\033[1;32m%(asctime)s\033[0m - \033[
 console_log.setLevel(logging.INFO)

 # Create file handler with a specific format
-file_log = logging.FileHandler(env('LOG_FILE', default='app.log'))
+file_log = logging.FileHandler(env('LOG_FILE', default='app.log'), mode=env('LOG_MODE', default='a'))
 file_log.setFormatter(logging.Formatter("%(asctime)s - %(levelname)s - %(name)s - %(message)s"))
 file_log.setLevel(logging.DEBUG)

@ -550,6 +550,16 @@ def delete_board(board_id):
        return redirect('/login')
    log.debug(f"Token validated for user {user[1]}")

+    # Check if user owns the board or is admin
+    board = db.execute_query("SELECT * FROM boards WHERE id = ?", (board_id,), fetch_type=FETCHONE)
+    if not board:
+        log.error("Board not found")
+        return render_template('error.html', error="Board not found")
+    
+    if board[4] != user[0] and session['perms'] != 'admin':
+        log.error("User does not have permission to delete this board")
+        return render_template('error.html', error="You do not have permission to delete this board")
+
    # Delete the board
    db.execute_query("DELETE FROM boards WHERE id = ?", (board_id,))
    log.info(f"Board ID {board_id} deleted successfully")
@ -598,6 +608,10 @@ def new_post():
        log.error("No post content provided")
        return render_template('error.html', error="No post content provided")
    
+    if len(content) > 10000:
+        log.error("Post content is too long")
+        return render_template('error.html', error="Post content is too long")
+    
    attachments = request.files.getlist('attachments')

    reference = request.form.get('reference')
@ -675,6 +689,16 @@ def delete_post(post_id):
        return redirect('/login')
    log.debug(f"Token validated for user {user[1]}")

+    # Check if user owns the post or is admin
+    post = db.execute_query("SELECT * FROM posts WHERE id = ?", (post_id,), fetch_type=FETCHONE)
+    if not post:
+        log.error("Post not found")
+        return render_template('error.html', error="Post not found")
+    
+    if post[1] != user[0] and session['perms'] != 'admin':
+        log.error("User does not have permission to delete this post")
+        return render_template('error.html', error="You do not have permission to delete this post")
+
    # Delete the post
    db.execute_query("DELETE FROM posts WHERE id = ?", (post_id,))
    log.info(f"Post ID {post_id} deleted successfully")