fix session bug
parent
a44bc53f3a
commit
fcdad601fb
|
@ -43,7 +43,9 @@ def before_request():
|
||||||
request.full_path = request.full_path.rstrip('?').rstrip('/')
|
request.full_path = request.full_path.rstrip('?').rstrip('/')
|
||||||
if not request.full_path: request.full_path = '/'
|
if not request.full_path: request.full_path = '/'
|
||||||
|
|
||||||
session_init()
|
if not session.get("session_id"):
|
||||||
|
session.permanent = True
|
||||||
|
session["session_id"] = secrets.token_hex(49)
|
||||||
|
|
||||||
|
|
||||||
@app.after_request
|
@app.after_request
|
||||||
|
|
|
@ -12,17 +12,13 @@ from files.helpers.settings import get_setting
|
||||||
from files.routes.routehelpers import validate_formkey
|
from files.routes.routehelpers import validate_formkey
|
||||||
from files.__main__ import app, cache, db_session, limiter
|
from files.__main__ import app, cache, db_session, limiter
|
||||||
|
|
||||||
def session_init():
|
|
||||||
if not session.get("session_id"):
|
|
||||||
session.permanent = True
|
|
||||||
session["session_id"] = secrets.token_hex(49)
|
|
||||||
|
|
||||||
def calc_users(v):
|
def calc_users(v):
|
||||||
|
if not g.is_api_or_xhr: return
|
||||||
loggedin = cache.get(f'{SITE}_loggedin') or {}
|
loggedin = cache.get(f'{SITE}_loggedin') or {}
|
||||||
loggedout = cache.get(f'{SITE}_loggedout') or {}
|
loggedout = cache.get(f'{SITE}_loggedout') or {}
|
||||||
timestamp = int(time.time())
|
timestamp = int(time.time())
|
||||||
|
|
||||||
session_init()
|
|
||||||
if v:
|
if v:
|
||||||
if session["session_id"] in loggedout: del loggedout[session["session_id"]]
|
if session["session_id"] in loggedout: del loggedout[session["session_id"]]
|
||||||
loggedin[v.id] = timestamp
|
loggedin[v.id] = timestamp
|
||||||
|
@ -48,7 +44,7 @@ def get_logged_in_user():
|
||||||
token = request.headers.get("Authorization","").strip()
|
token = request.headers.get("Authorization","").strip()
|
||||||
if token:
|
if token:
|
||||||
client = g.db.query(ClientAuth).filter(ClientAuth.access_token == token).one_or_none()
|
client = g.db.query(ClientAuth).filter(ClientAuth.access_token == token).one_or_none()
|
||||||
if client:
|
if client:
|
||||||
v = client.user
|
v = client.user
|
||||||
v.client = client
|
v.client = client
|
||||||
else:
|
else:
|
||||||
|
@ -57,19 +53,19 @@ def get_logged_in_user():
|
||||||
id = int(lo_user)
|
id = int(lo_user)
|
||||||
v = get_account(id, graceful=True)
|
v = get_account(id, graceful=True)
|
||||||
if not v:
|
if not v:
|
||||||
session.clear()
|
session.pop("lo_user")
|
||||||
return None
|
v = None
|
||||||
else:
|
else:
|
||||||
nonce = session.get("login_nonce", 0)
|
nonce = session.get("login_nonce", 0)
|
||||||
if nonce < v.login_nonce or v.id != id:
|
if nonce < v.login_nonce or v.id != id:
|
||||||
session.clear()
|
session.pop("lo_user")
|
||||||
return None
|
v = None
|
||||||
|
|
||||||
if request.method != "GET":
|
if v:
|
||||||
submitted_key = request.values.get("formkey")
|
if request.method != "GET":
|
||||||
if not validate_formkey(v, submitted_key): abort(401)
|
submitted_key = request.values.get("formkey")
|
||||||
|
if not validate_formkey(v, submitted_key): abort(401)
|
||||||
v.client = None
|
v.client = None
|
||||||
g.is_api_or_xhr = bool((v and v.client) or request.headers.get("xhr"))
|
g.is_api_or_xhr = bool((v and v.client) or request.headers.get("xhr"))
|
||||||
|
|
||||||
if request.method.lower() != "get" and get_setting('Read-only mode') and not (v and v.admin_level >= PERMS['SITE_BYPASS_READ_ONLY_MODE']):
|
if request.method.lower() != "get" and get_setting('Read-only mode') and not (v and v.admin_level >= PERMS['SITE_BYPASS_READ_ONLY_MODE']):
|
||||||
|
|
Loading…
Reference in New Issue