Browse Source

/deletescore was enabled without admin authorisation

pull/14/head
Rogier Neeleman 8 years ago
parent
commit
61545ef91b
  1. 19
      nfgame.py

19
nfgame.py

@ -289,24 +289,21 @@ def tag_found(taghash):
@app.route('/admin/<string:password>') @app.route('/admin/<string:password>')
def admin_page(password): def admin_page(password):
if password == app.config['ADMIN_PASSWORD']: if password == app.config['ADMIN_PASSWORD']:
session['admin'] = 'true'
return render_template('admin_page.html') return render_template('admin_page.html')
else: else:
return redirect(url_for('index')) return redirect(url_for('index'))
@app.route('/deletescore') @app.route('/deletescore')
def delete_score(): def delete_score():
db = get_db() if 'admin' in session and session['admin'] == 'true':
cur = db.execute("delete from score") db = get_db()
db.commit() cur = db.execute("delete from score")
db.commit()
return render_template('admin_page.html') return render_template('admin_page.html')
else:
@app.route('/deleteuser') return redirect(url_for('index'))
def delete_user():
session.pop('username', None)
session.pop('id', None)
return render_template('admin_page.html')
if __name__ == '__main__': if __name__ == '__main__':
app.run(threaded=True) app.run(threaded=True)

Loading…
Cancel
Save