flask-admin added, admin views added

Author: eshaan7

src/FlaskRTBCTF/__init__.py

@@ -2,25 +2,32 @@
 from flask_sqlalchemy import SQLAlchemy
 from flask_bcrypt import Bcrypt
 from flask_login import LoginManager
+from flask_admin import Admin
 from flask_mail import Mail
 from FlaskRTBCTF.config import Config
 import os
 
 db = SQLAlchemy()
 bcrypt = Bcrypt()
 login_manager = LoginManager()
+admin_manager = Admin()
 login_manager.login_view = 'users.login'
 login_manager.login_message_category = 'info'
 mail = Mail()
 
-
 def create_app(config_class=Config):
 	app = Flask(__name__)
 	app.config.from_object(Config)
 
 	db.init_app(app)
 	bcrypt.init_app(app)
 	login_manager.init_app(app)
+	admin_manager.init_app(app)
+	# Add model views
+	from FlaskRTBCTF.admin.views import MyModelView
+	from FlaskRTBCTF.models import User, Score
+	admin_manager.add_view(MyModelView(User, db.session))
+	admin_manager.add_view(MyModelView(Score, db.session))
 	mail.init_app(app)
 
 	from flask_sslify import SSLify

src/FlaskRTBCTF/admin/__init__.py

@@ -0,0 +1,28 @@
+''' Admin Model Views '''
+
+from flask import abort
+from flask_login import current_user
+from flask_admin.contrib.sqla import ModelView
+
+class MyModelView(ModelView):
+
+    def is_accessible(self):
+        if not current_user.is_authenticated or not current_user.isAdmin:
+        	# permission denied
+        	abort(403)
+        if current_user.isAdmin:
+            return True
+        return False
+
+    def _handle_view(self, name, **kwargs):
+        """
+        Override builtin _handle_view in order to redirect users when a view is
+        not accessible.
+        """
+        if not self.is_accessible():
+            if current_user.is_authenticated:
+                # permission denied
+                abort(403)
+            #else:
+                # login
+            #    return redirect(url_for('user.login', next=request.url))

src/FlaskRTBCTF/admin/views.py

@@ -1,16 +1,20 @@
 import os
 
+''' Flask related Configurations. Note: DO NOT FORGET TO CHANGE SECRET_KEY ! '''
+
 class Config:
     SECRET_KEY = 'you-will-never-guess' # os.environ.get('SECRET_KEY')
     SQLALCHEMY_DATABASE_URI = 'sqlite:///site.db' # os.environ.get('SQLALCHEMY_DATABASE_URI')
     SQLALCHEMY_TRACK_MODIFICATIONS = False 
-    DEBUG = False
+    DEBUG = False # Turn DEBUG OFF before deployment
     MAIL_SERVER = 'smtp.googlemail.com'
     MAIL_PORT = 587
     MAIL_USE_TLS = True
     MAIL_USERNAME = os.environ.get('EMAIL_USER')
     MAIL_PASSWORD = os.environ.get('EMAIL_PASS')
 
+''' CTF related Configuration '''
+
 ctfname = "RootTheBox CTF"
 RunningTime = '{ "from": "3:00 PM 7th July 2019", "to": "12:00 AM 8th July 2019", "TimeZone": "IST" }'
 box = '{ "name": "My Awesome Pwnable Box", "ip": "127.0.0.1", "os": "Linux", "points": { "user": 10, "root": 20 }, "hardness": "You tell" }'
@@ -19,10 +23,4 @@ class Config:
 userScore = 10
 rootScore = 20
 
-'''
-Creating site.db file
-$ source venv/bin/activate
-$ python3 # open python interpreter
->>> from FlaskRTBCTF import db, create_app
->>> db.create_all(app=create_app())
-'''
+# NOTE: CHANGE DEFAULT ADMIN CREDENTIALS in create_db.py !!!

src/FlaskRTBCTF/config.py

@@ -15,6 +15,8 @@ class User(db.Model, UserMixin):
     username = db.Column(db.String(40), unique=True, nullable=False)
     email = db.Column(db.String(120), unique=True, nullable=False)
     password = db.Column(db.String(60), nullable=False)
+    confirmed_at = db.Column(db.DateTime())
+    isAdmin = db.Column(db.Boolean, default=False)
 
     def get_reset_token(self, expires_sec=1800):
         s = Serializer(current_app.config['SECRET_KEY'], expires_sec)
@@ -42,6 +44,8 @@ class Score(db.Model):
 
     def __repr__(self):
         return f"Score('{self.userid}', '{self.score}')"
+
+
 
 
 

src/FlaskRTBCTF/models.py

@@ -40,7 +40,7 @@ def login():
     if form.validate_on_submit():
         user = User.query.filter_by(username=form.username.data).first()
         if user and bcrypt.check_password_hash(user.password, form.password.data):
-            login_user(user, remember=form.remember.data)
+            login_user(user, remember=form.remember.data, force=True)
             next_page = request.args.get('next')
             return redirect(next_page) if next_page else redirect(url_for('main.home'))
         else: