Improved the security

a09a17d1 · Yukun Ge · 3a072c79 · a09a17d1 · a09a17d1 · a09a17d1
Commit a09a17d1 authored 3 years ago by Yukun Ge
--- a/blog/__init__.py
+++ b/blog/__init__.py
@@ -17,6 +17,4 @@ app.logger.info("db is created")

 from blog import models
 db.create_all()
-
-
 from blog import routes
--- a/blog/models.py
+++ b/blog/models.py
 from datetime import datetime
-from blog import db
+from blog import db, app
+from werkzeug.security import check_password_hash, generate_password_hash


 class Post(db.Model):
@@ -28,11 +29,23 @@ class User(db.Model):
    def __init__(self, username, email, password):
        self.email = email
        self.username = username
-        self.password = password
+        self.password_hash = password

    def __repr__(self):
        return f"User('{self.username}', '{self.email}')"

+    def verify_password(self, password):
+        app.logger.info(f"check password for {password}")
+        return check_password_hash(self.password, password)
+
+    @property
+    def password_hash(self):
+        raise AttributeError('Password is not readable.')
+
+    @password_hash.setter
+    def password_hash(self, password):
+        self.password = generate_password_hash(password)
+

 class Comment(db.Model):
    id = db.Column(db.Integer, primary_key=True)

--- a/blog/routes.py
+++ b/blog/routes.py
@@ -107,7 +107,7 @@ def login():
            login_user = User.query.filter_by(email=login_email).first()
            if login_user is None:
                error = f'error user info'
-            elif not check_password_hash(login_user.password, login_password):
+            elif not login_user.verify_password(login_password):
                error = f'error user info'
            if error is None:
                session.clear()
@@ -140,8 +140,8 @@ def register():
        if form.validate_on_submit():
            try:
                user = User(form.username.data,
-                            form.email.data, generate_password_hash(form.password.data))
-                app.logger.info(f'{user} login succes')
+                            form.email.data, form.password.data)
+                app.logger.info(f'{user} login success')
                db.session.add(user)
                db.session.commit()
                session.clear()

--- a/blog/templates/base.html
+++ b/blog/templates/base.html
@@ -14,9 +14,10 @@ filename='style.css') }}">
            <li id='home'><a href="{{ url_for('home') }}">home</a></li>
            {% if username!='Guest' %}
            <li id='logout'><a href="{{ url_for('logout') }}">logout</a></li>
-            {% endif %}
+            {% else %}
            <li id='login'><a href="{{ url_for('login') }}">login</a></li>
            <li id='register'><a href="{{ url_for('register') }}">register</a></li>
+            {% endif %}
        </ul>
        <h1 id="pers_greet" class='pers_greet'>Hello, {{username}}!</h1>
    <div>

--- a/blog/templates/post.html
+++ b/blog/templates/post.html
@@ -54,6 +54,6 @@

 <script>
  var t = document.getElementById("add-form");
-  t.style.display = "none"; // 隐藏选择的元素
+  t.style.display = "none";
 </script>
 {% endblock main %}