hotfix

2025-07-05 10:13:28 +02:00 · 2025-07-05 10:13:28 +02:00 · a95e8a00b8
commit a95e8a00b8
parent eeda5062ae
7 changed files with 46 additions and 39 deletions
--- a/Server/Host/flaskApp.py
+++ b/Server/Host/flaskApp.py
@ -37,7 +37,7 @@ login_manager.init_app(app)

 if config['OTHER']['first_startup'] == 'True':
    print("Please enter a Secure Admin Password:")
-    add._create_user('Admin',input())
+    add._create_user(config['SETTINGS']['user'],input())
    config.set('OTHER', 'first_startup', 'False')
    with open('Options.ini', 'w') as configfile:
        config.write(configfile)
@ -112,9 +112,9 @@ def orders(): #TODO on new orderGet refresh orders list
@app.route("/order_get", methods=['GET','POST'])
 def order_get():
    desk= 1
-
+    global config
    #POST order
-    if request.method == 'POST' and config['SETTINGS']['lockqrcode_whit_secret'] == True:
+    if request.method == 'POST' and config['SETTINGS']['lockqrcode_whit_secret'] == 'True':
        ordered_list = []
        desk = request.form['desk']
        form = request.form
@ -133,18 +133,17 @@ def order_get():
    elif request.method == 'GET':
        desk = int(request.args['desk'])
        secret = int(request.args['secret'])
-        try:#TODO FIX! #Feature = True #TODO:Encryption Salting hasing and anti rainbow attack for qr code?? (needed?) 
-            if config['SETTINGS']['lockqrcode_whit_secret'] and compare.is_QRSecret_valid(desk,secret):
-                return render_template('index.html', desk=desk, MAX_DESKS=config['DEFAULT']['max_desks'], orderableItems = get.valid_products(get_json_=True))
-            elif config['SETTINGS']['lockqrcode_whit_secret'] == False:
-                return render_template('index.html', desk=desk, MAX_DESKS=config['DEFAULT']['max_desks'],orderableItems = get.valid_products(get_json_=True))
-            return '<h1>404 wrong Secret?</h1>' #TODO Make the HTML prettier for all 
-        except:
-            return '<h1>Server/code issue?</h1>'
-    elif config['SETTINGS']['lockqrcode_whit_secret'] == True:
+        if config['SETTINGS']['lockqrcode_whit_secret'] == 'True' and compare.is_QRSecret_valid(desk,secret):
+            return render_template('index.html', desk=desk, MAX_DESKS=int(config['DEFAULT']['max_desks']), orderableItems = get.valid_products(get_json_=True))
+        elif config['SETTINGS']['lockqrcode_whit_secret'] == 'False':
+            return render_template('index.html', desk=desk, MAX_DESKS=int(config['DEFAULT']['max_desks']),orderableItems = get.valid_products(get_json_=True))
+        else:
+            return '<h1>Somethign went wrong try again.</h1>' #TODO Make the HTML prettier for all 
+        return '<h1>404 wrong Secret?</h1>' #TODO Make the HTML prettier for all 
+    elif config['SETTINGS']['lockqrcode_whit_secret'] == 'True':
        return '<h1>your LOCKQRCODE is invalid.</h1>'
    else:
-        return render_template('index.html',desk=desk, MAX_DESKS=config['DEFAULT']['max_desks'],orderableItems = get.valid_products(get_json_=True))
+        return render_template('index.html',desk=desk, MAX_DESKS=int(config['DEFAULT']['max_desks']),orderableItems = get.valid_products(get_json_=True))

 app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///db.db'
 app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
--- a/Server/Host/templates/index.html
+++ b/Server/Host/templates/index.html
@ -7,7 +7,8 @@
    <title>Document</title>
 </head>
 <body>
-    <form name="order" onsubmit="return validateForm()" action="{{ url_for('order_get') }}"  method="POST" class="flex-container">
+    <form name="order" onsubmit="return validateForm()" action="{{ url_for('order_get') }}" method="POST" class="flex-container">
+        <input type="hidden" name="csrf_token" value="{{ csrf_token() }}"/>
        <li class="box desk-nr">Tisch Nummer
            <div>
            <select name="desk" class="desk-select">
--- a/Server/Host/templates/orders.html
+++ b/Server/Host/templates/orders.html
@ -46,10 +46,7 @@
                </ul>
            </td>
            <td>
-                <button 
-                    class="finish-btn" 
-                    onclick="markFinished({{ order[2] }})"
-                    id="btn-{{ order[2] }}">
+                <button class="finish-btn" onclick="markFinished({{ order[2] }})" id="btn-{{ order[2] }}">
                    Finished
                </button>
            </td>
@ -59,15 +56,17 @@
        <tr><td colspan="3">No open orders.</td></tr>
        {% endfor %}
    </table>
-
    <script>
+        var csrfToken = "{{ csrf_token() }}";
        // Track active timers for each order
        window.activeTimers = {};

        function markFinished(orderId) {
+            
            fetch('/orders', {
                method: 'POST',
-                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded', 
+                        'X-CSRFToken': csrfToken },
                body: `order_id=${orderId}&action=finish`
            })
            .then(response => response.json())
@ -106,7 +105,8 @@

            fetch('/orders', {
                method: 'POST',
-                headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+                headers: { 'Content-Type': 'application/x-www-form-urlencoded' ,
+                    'X-CSRFToken': csrfToken },
                body: `order_id=${orderId}&action=undo`
            })
            .then(response => response.json())