security: fix CSRF on internal cache dump route

move dumping internal cache to admin tools
master
justcool393 2022-11-02 20:35:32 -05:00
parent 098dd7be38
commit 4a252e9699
2 changed files with 13 additions and 13 deletions

View File

@ -473,14 +473,9 @@ def change_settings(v, setting):
return {'message': f"{setting} {word}d successfully!"} return {'message': f"{setting} {word}d successfully!"}
@app.post("/admin/purge_cache") @app.post("/admin/purge_cache")
@admin_level_required(PERMS['SITE_CACHE_PURGE_CDN']) @admin_level_required(PERMS['SITE_CACHE_PURGE_CDN'])
def purge_cache(v): def purge_cache(v):
if v.admin_level >= PERMS['SITE_CACHE_DUMP_INTERNAL']:
online = cache.get(ONLINE_STR)
cache.clear()
cache.set(ONLINE_STR, online)
if not purge_entire_cache(): if not purge_entire_cache():
abort(400, 'Failed to purge cache') abort(400, 'Failed to purge cache')
ma = ModAction( ma = ModAction(
@ -488,22 +483,20 @@ def purge_cache(v):
user_id=v.id user_id=v.id
) )
g.db.add(ma) g.db.add(ma)
return {"message": "Cache purged!"} return {"message": "CDN cache purged!"}
@app.get("/admin/dump_cache") @app.post("/admin/dump_cache")
@admin_level_required(PERMS['SITE_CACHE_DUMP_INTERNAL']) @admin_level_required(PERMS['SITE_CACHE_DUMP_INTERNAL'])
def admin_dump_cache(v): def admin_dump_cache(v):
online = cache.get(ONLINE_STR) online = cache.get(ONLINE_STR)
cache.clear() cache.clear()
cache.set(ONLINE_STR, online) cache.set(ONLINE_STR, online)
ma = ModAction( ma = ModAction(
kind="dump_cache", kind="dump_cache",
user_id=v.id user_id=v.id
) )
g.db.add(ma) g.db.add(ma)
return {"message": "Internal cache cleared!"}
return {"message": "Internal cache cleared."}
@app.post("/admin/under_attack") @app.post("/admin/under_attack")
@admin_level_required(PERMS['SITE_SETTINGS_UNDER_ATTACK']) @admin_level_required(PERMS['SITE_SETTINGS_UNDER_ATTACK'])

View File

@ -138,15 +138,22 @@
<label class="custom-control-label" for="under_attack">Under attack mode</label> <label class="custom-control-label" for="under_attack">Under attack mode</label>
</div> </div>
{% endif %} {% endif %}
{% if v.admin_level >= PERMS['SITE_CACHE_PURGE_CDN'] %}
<button type="button" class="btn btn-primary mt-3" onclick="postToast(this,'/admin/purge_cache');" style="margin-bottom: 2em;">PURGE CACHE</button>
{% endif %}
<br> <br>
{% if SITE_NAME == 'PCM' and v.admin_level >= PERMS['PRINT_MARSEYBUX_FOR_KIPPY_ON_PCMEMES'] %} {% if SITE_NAME == 'PCM' and v.admin_level >= PERMS['PRINT_MARSEYBUX_FOR_KIPPY_ON_PCMEMES'] %}
<button type="button" class="btn btn-primary" onclick="postToast(this,'/kippy');" style="margin-bottom: 2em;">Print 10k Marseybux</button> <button type="button" class="btn btn-primary" onclick="postToast(this,'/kippy');" style="margin-bottom: 2em;">Print 10k Marseybux</button>
{% endif %} {% endif %}
{% endif %} {% endif %}
{% if v.admin_level >= PERMS['SITE_CACHE_PURGE_CDN'] or v.admin_level >= PERMS['SITE_CACHE_DUMP_INTERNAL'] %}
<h4>Caching</h4>
{% if v.admin_level >= PERMS['SITE_CACHE_PURGE_CDN'] %}
<button type="button" class="btn btn-primary mt-3" onclick="postToast(this,'/admin/purge_cache');" style="margin-bottom: 2em;">PURGE CDN CACHE</button>
{% endif %}
{% if v.admin_level >= PERMS['SITE_CACHE_DUMP_INTERNAL'] %}
<button type="button" class="btn btn-primary mt-3" onclick="postToast(this,'/admin/dump_cache');" style="margin-bottom: 2em;">DUMP INTERNAL CACHE</button>
{% endif %}
{% endif %}
<h4>Server Status</h4> <h4>Server Status</h4>
<div> <div>
Live Revision: <code>{{gitref}}</code> <br> Live Revision: <code>{{gitref}}</code> <br>