almet/ihatemoney
1
0
Fork 0
mirror of https://github.com/spiral-project/ihatemoney.git synced 2025-05-05 20:51:49 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use a hashed password for ADMIN_PASSWORD

Browse source 
A generate_password_hash manage.py command is provided
Fixes #233
This commit is contained in:
0livd 2017-06-23 18:01:41 +02:00
parent db29648956
commit 999df67a96
4 changed files with 25 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
budget/manage.py
View file

@ -1,15 +1,26 @@
#!/usr/bin/env python #!/usr/bin/env python
from flask_script import Manager from flask_script import Manager, Command
from flask_migrate import Migrate, MigrateCommand from flask_migrate import Migrate, MigrateCommand
from werkzeug.security import generate_password_hash
from run import app from run import app
from models import db from models import db
from getpass import getpass
class GeneratePasswordHash(Command):
"Get password from user and hash it without printing it in clear text"
def run(self):
password = getpass(prompt='Password: ')
print(generate_password_hash(password))
migrate = Migrate(app, db) migrate = Migrate(app, db)
manager = Manager(app) manager = Manager(app)
manager.add_command('db', MigrateCommand) manager.add_command('db', MigrateCommand)
manager.add_command('generate_password_hash', GeneratePasswordHash)
if __name__ == '__main__': if __name__ == '__main__':

3
budget/tests/tests.py
View file

@ -10,6 +10,7 @@ import json
from collections import defaultdict from collections import defaultdict
import six import six
from werkzeug.security import generate_password_hash
from flask import session from flask import session
# Unset configuration file env var if previously set # Unset configuration file env var if previously set
@ -376,7 +377,7 @@ class BudgetTestCase(TestCase):
self.assertNotIn('raclette', session) self.assertNotIn('raclette', session)
def test_admin_authentication(self): def test_admin_authentication(self):
run.app.config['ADMIN_PASSWORD'] = "pass" run.app.config['ADMIN_PASSWORD'] = generate_password_hash("pass")
# test the redirection to the authentication page when trying to access admin endpoints # test the redirection to the authentication page when trying to access admin endpoints
resp = self.app.get("/create") resp = self.app.get("/create")

12
budget/web.py
View file

@ -13,6 +13,8 @@ from flask import Blueprint, current_app, flash, g, redirect, \
render_template, request, session, url_for, send_file render_template, request, session, url_for, send_file
from flask_mail import Mail, Message from flask_mail import Mail, Message
from flask_babel import get_locale, gettext as _ from flask_babel import get_locale, gettext as _
from werkzeug.security import generate_password_hash, \
check_password_hash
from smtplib import SMTPRecipientsRefused from smtplib import SMTPRecipientsRefused
import werkzeug import werkzeug
from sqlalchemy import orm from sqlalchemy import orm
@ -35,10 +37,10 @@ def requires_admin(f):
""" """
@wraps(f) @wraps(f)
def admin_auth(*args, **kws): def admin_auth(*args, **kws):
admin_password = session.get('admin_password', '') is_admin = session.get('is_admin')
if not admin_password == current_app.config['ADMIN_PASSWORD']: if is_admin or not current_app.config['ADMIN_PASSWORD']:
raise Redirect303(url_for('.admin', goto=request.path))
return f(*args, **kws) return f(*args, **kws)
raise Redirect303(url_for('.admin', goto=request.path))
return admin_auth return admin_auth
@ -87,8 +89,8 @@ def admin():
goto = request.args.get('goto', url_for('.home')) goto = request.args.get('goto', url_for('.home'))
if request.method == "POST": if request.method == "POST":
if form.validate(): if form.validate():
if form.admin_password.data == current_app.config['ADMIN_PASSWORD']: if check_password_hash(current_app.config['ADMIN_PASSWORD'], form.admin_password.data):
session['admin_password'] = form.admin_password.data session['is_admin'] = True
session.update() session.update()
return redirect(goto) return redirect(goto)
else: else:

4
docs/installation.rst
View file

@ -85,7 +85,9 @@ properly.
+----------------------------+---------------------------+-----------------------------------------------------------------------------+ +----------------------------+---------------------------+-----------------------------------------------------------------------------+
| ACTIVATE_DEMO_PROJECT | ``True`` | If set to `True`, a demo project will be available on the frontpage. | | ACTIVATE_DEMO_PROJECT | ``True`` | If set to `True`, a demo project will be available on the frontpage. |
+----------------------------+---------------------------+-----------------------------------------------------------------------------+ +----------------------------+---------------------------+-----------------------------------------------------------------------------+
| ADMIN_PASSWORD | ``""`` | If not empty, the specified password must be entered to create new projects | | | ``""`` | If not empty, the specified password must be entered to create new projects.|
| ADMIN_PASSWORD | | It needs to be hashed with the following command : |
| | | budget/manage.py generate_password_hash |
+----------------------------+---------------------------+-----------------------------------------------------------------------------+ +----------------------------+---------------------------+-----------------------------------------------------------------------------+
.. _`the SQLAlechemy documentation`: http://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls .. _`the SQLAlechemy documentation`: http://docs.sqlalchemy.org/en/latest/core/engines.html#database-urls