main.py


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170

## hosts photocosm web server via flask 

# external libraries
from flask import Blueprint, Flask, request, redirect, render_template, jsonify, flash, url_for, send_from_directory
from flask_login import current_user, login_required

# core libraries
import os.path

# internal code
from . import db

main = Blueprint('main', __name__)

# main page
# GET = get main page
@main.route("/", methods=['GET'])
def home():
    return render_template("home.html", collections=db.get_collection_list())

# editor page
@main.route("/editor", methods=['GET'])
def editor():
    collection_id = request.args.get("collection")
    if request.method == "GET":
        collection = db.get_collection(collection_id)
        if not collection:
            flash("No such collection exists!")
            return redirect(url_for('main.home'))
        if not current_user.is_authenticated:
            flash("You must be logged in to edit collections!")
            return redirect(url_for('auth.login'))
        if not db.validate_user(collection_id, current_user.email):
            flash("You do not have permission to edit this collection!")
            return redirect(url_for('main.home'))
        return render_template("editor.html", collection_id=collection_id)

# get latest collection data (in editor)
@main.route("/editorgetlatestinfo", methods=["POST"])
@login_required
def editor_request_update():
    content = request.get_json()
    if not content or ("collection" not in content) or ("last_updated" not in content):
        return jsonify({"status" : "ERROR: Invalid request."})
        
    collection_id = content["collection"]
    client_last_update  = content["last_updated"]
    collection = db.get_collection(collection_id)
    
    if not collection:
        return jsonify({"status" : "ERROR: No such collection."})
    if not current_user.is_authenticated:
        return jsonify({"status" : "ERROR: You must be logged in to edit collections."})
    if not db.validate_user(collection_id, current_user.email):
        return jsonify({"status" : "ERROR: You do not have permission to edit this collection."})
    
    if collection["last_edited"] > client_last_update:
        data = {"status" : "OK", "update" : True, "collection" : collection}
        return jsonify(data)
    
    return jsonify({"status" : "OK", "update" : False})

# upload media to collection from editor
@main.route("/editormediaupload", methods=['POST'])
@login_required
def file_upload():
    collection_id = request.form.get('collection_id')
    if not db.validate_user(collection_id, current_user.email):
        return jsonify({"STATUS" : "PERMISSION DENIED"})
    
    files = request.files.getlist("files")
    db.add_media_bulk(collection_id ,files)
    
    return jsonify({"STATUS" : "OK"})

@main.route("/editoreditmedia", methods=['POST'])
@login_required
def edit_media():
    content = request.get_json()
    if not content or ("collection" not in content):
        return jsonify({"status" : "ERROR: Invalid request."})
        
    collection_id = content["collection"]
    collection = db.get_collection(collection_id)
    
    if not collection:
        return jsonify({"status" : "ERROR: No such collection."})
    if not current_user.is_authenticated:
        return jsonify({"status" : "ERROR: You must be logged in to edit collections."})
    if not db.validate_user(collection_id, current_user.email):
        return jsonify({"status" : "ERROR: You do not have permission to edit this collection."})
    
    for edit in content["edits"]:
        db.edit_media(collection_id, edit["media_id"], edit["changes"])
    
    return jsonify({"status" : "OK", "update" : False})

@main.route("/editorshare", methods=['POST'])
@login_required
def share():
    content = request.get_json()
    if not content or ("collection" not in content):
        return jsonify({"status" : "ERROR: Invalid request."})
        
    collection_id = content["collection"]
    collection = db.get_collection(collection_id)
    
    if not collection:
        return jsonify({"status" : "ERROR: No such collection."})
    if not current_user.is_authenticated:
        return jsonify({"status" : "ERROR: You must be logged in to edit collections."})
    if not db.validate_user(collection_id, current_user.email):
        return jsonify({"status" : "ERROR: You do not have permission to edit this collection."})
    
    if "user_email" in content:
        db.set_user_permissions(collection_id, content["user_email"], content["perm"])
    if "public" in content:
        db.set_collection_public(collection_id, content["public"])
    
    return jsonify({"status" : "OK", "update" : False})

@main.route("/editorcollectioninfo", methods=['POST'])
@login_required
def edit_collection_info():
    content = request.get_json()
    if not content or ("collection" not in content) or ("edits" not in content):
        return jsonify({"status" : "ERROR: Invalid request."})
        
    collection_id = content["collection"]
    collection = db.get_collection(collection_id)
    
    if not collection:
        return jsonify({"status" : "ERROR: No such collection."})
    if not current_user.is_authenticated:
        return jsonify({"status" : "ERROR: You must be logged in to edit collections."})
    if not db.validate_user(collection_id, current_user.email):
        return jsonify({"status" : "ERROR: You do not have permission to edit this collection."})
    
    db.set_collection_info(collection_id, content["edits"])
    
    return jsonify({"status" : "OK", "update" : False})

@main.route("/editordeletemedia", methods=['POST'])
@login_required
def delete_media():
    content = request.get_json()
    print(content)
    if not content or ("collection" not in content):
        return jsonify({"status" : "ERROR: Invalid request."})
        
    collection_id = content["collection"]
    collection = db.get_collection(collection_id)
    
    if not collection:
        return jsonify({"status" : "ERROR: No such collection."})
    if not current_user.is_authenticated:
        return jsonify({"status" : "ERROR: You must be logged in to edit collections."})
    if not db.validate_user(collection_id, current_user.email):
        return jsonify({"status" : "ERROR: You do not have permission to edit this collection."})
    
    for media_id in content["to_be_removed"]:
        print(db.delete_media(collection_id, media_id))
    
    return jsonify({"status" : "OK", "update" : False})

# access media content
@main.route('/content/<path:path>')
def send_content(path):
    # Using request args for path will expose you to directory traversal attacks
    return send_from_directory('content', path)