From dd160916a8f1a9028d95d7e0344d40544078151f Mon Sep 17 00:00:00 2001 From: Frederick Yin Date: Wed, 2 Feb 2022 23:22:50 +0800 Subject: Reject auth actions other than login/register --- jimbrella/auth.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/jimbrella/auth.py b/jimbrella/auth.py index c7e2fa3..39d355b 100644 --- a/jimbrella/auth.py +++ b/jimbrella/auth.py @@ -38,19 +38,22 @@ def auth(action): if not check_password_hash(user["password"], password): return show_error("login", "Incorrect password. Sorry.") - else: + elif action == "register": if not ACCEPT_NEW_USERS: return show_error("register", "Sorry, but user registrations are closed.") try: users.register(username, generate_password_hash(password), "en-US") except UsernameTakenError as e: return show_error("register", e.message) + else: + abort(400) # give access session.clear() session["username"] = username return redirect(url_for("admin.index")) + @bp.route("/logout") def logout(): session.pop("username", None) -- cgit v1.2.3