PyPI - platzky - Versions diffs - 0.3.3__tar.gz → 0.3.4__tar.gz - Mend

platzky 0.3.3tar.gz → 0.3.4tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (44) hide show

{platzky-0.3.3 → platzky-0.3.4}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: platzky
-Version: 0.3.3
+Version: 0.3.4
 Summary: Not only blog engine
 License: MIT
 Requires-Python: >=3.10,<4.0

{platzky-0.3.3 → platzky-0.3.4}/platzky/admin/fake_login.py RENAMED Viewed

@@ -8,7 +8,8 @@ environments as it bypasses proper authentication and authorization controls.
 import os
 from typing import Any, Callable
-from flask import Blueprint, flash, redirect, session, url_for
+from flask import Blueprint, flash, redirect, render_template_string, session, url_for
+from flask_wtf import FlaskForm
 from markupsafe import Markup
 ROLE_ADMIN = "admin"
@@ -16,6 +17,17 @@ ROLE_NONADMIN = "nonadmin"
 VALID_ROLES = [ROLE_ADMIN, ROLE_NONADMIN]
+class FakeLoginForm(FlaskForm):
+    """
+    Empty form class that inherits CSRF protection from FlaskForm.
+    Used specifically for the fake login functionality to enable
+    CSRF token validation on form submissions.
+    """
+    pass
 def get_fake_login_html() -> Callable[[], str]:
     """Return a callable that generates HTML for fake login buttons."""
@@ -23,8 +35,11 @@ def get_fake_login_html() -> Callable[[], str]:
         admin_url = url_for("admin.handle_fake_login", role="admin")
         nonadmin_url = url_for("admin.handle_fake_login", role="nonadmin")
-        # Rest of the code remains the same
-        html = f"""
+        # Create a form instance to get the CSRF token
+        form = FakeLoginForm()
+        html = render_template_string(
+            """
         <div class="col-md-6 mb-4">
           <div class="card">
             <div class="card-header">
@@ -33,19 +48,24 @@ def get_fake_login_html() -> Callable[[], str]:
             <div class="card-body">
               <p class="text-danger"><strong>Warning:</strong> For development only</p>
               <div class="d-flex justify-content-around">
-                <form method="post" action="{admin_url}" style="display: inline;">
-                  <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
+                <form method="post" action="{{ admin_url }}" style="display: inline;">
+                  {{ form.csrf_token }}
                   <button type="submit" class="btn btn-primary">Login as Admin</button>
                 </form>
-                <form method="post" action="{nonadmin_url}" style="display: inline;">
-                  <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
+                <form method="post" action="{{ nonadmin_url }}" style="display: inline;">
+                  {{ form.csrf_token }}
                   <button type="submit" class="btn btn-secondary">Login as Non-Admin</button>
                 </form>
               </div>
             </div>
           </div>
         </div>
-        """
+        """,
+            form=form,
+            admin_url=admin_url,
+            nonadmin_url=nonadmin_url,
+        )
         return Markup(html)
     return generate_html
@@ -70,13 +90,15 @@ def setup_fake_login_routes(admin_blueprint: Blueprint) -> Blueprint:
     @admin_blueprint.route("/fake-login/<role>", methods=["POST"])
     def handle_fake_login(role: str) -> Any:
-        if role not in VALID_ROLES:
-            flash(f"Invalid role: {role}. Must be one of: {', '.join(VALID_ROLES)}", "error")
+        form = FakeLoginForm()
+        if form.validate_on_submit() and role in VALID_ROLES:
+            if role == ROLE_ADMIN:
+                session["user"] = {"username": ROLE_ADMIN, "role": ROLE_ADMIN}
+            else:
+                session["user"] = {"username": "user", "role": ROLE_NONADMIN}
             return redirect(url_for("admin.admin_panel_home"))
-        if role == ROLE_ADMIN:
-            session["user"] = {"username": ROLE_ADMIN, "role": ROLE_ADMIN}
-        else:
-            session["user"] = {"username": "user", "role": ROLE_NONADMIN}
+        flash(f"Invalid role: {role}. Must be one of: {', '.join(VALID_ROLES)}", "error")
         return redirect(url_for("admin.admin_panel_home"))
     return admin_blueprint

{platzky-0.3.3 → platzky-0.3.4}/platzky/platzky.py RENAMED Viewed

@@ -3,6 +3,7 @@ import urllib.parse
 from flask import redirect, render_template, request, session
 from flask_minify import Minify
+from flask_wtf import CSRFProtect
 from platzky.admin import admin
 from platzky.blog import blog
@@ -107,6 +108,7 @@ def create_app_from_config(config: Config) -> Engine:
     engine.register_blueprint(seo_blueprint)
     Minify(app=engine, html=True, js=True, cssless=True)
+    CSRFProtect(app=engine)
     return engine

{platzky-0.3.3 → platzky-0.3.4}/pyproject.toml RENAMED Viewed

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "platzky"
-version = "0.3.3"
+version = "0.3.4"
 description = "Not only blog engine"
 authors = []
 license = "MIT"