From 559b402c4e46f0747e6c0c37b113106e776a42e0 Mon Sep 17 00:00:00 2001 From: Aevann1 Date: Sat, 16 Apr 2022 17:04:34 +0200 Subject: [PATCH] fds --- files/helpers/wrappers.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/files/helpers/wrappers.py b/files/helpers/wrappers.py index 4212728d1..f9980a28c 100644 --- a/files/helpers/wrappers.py +++ b/files/helpers/wrappers.py @@ -18,17 +18,18 @@ def get_logged_in_user(): else: lo_user = session.get("lo_user") if lo_user: - nonce = session.get("login_nonce", 0) id = int(lo_user) v = g.db.query(User).filter_by(id=id).one_or_none() - if v and nonce >= v.login_nonce: - if v.id != id: abort(400) - v.client = None + if v: + nonce = session.get("login_nonce", 0) + if nonce < v.login_nonce or v.id != id: abort(401) if request.method != "GET": submitted_key = request.values.get("formkey") if not submitted_key: abort(401) - elif not v.validate_formkey(submitted_key): abort(401) + if not v.validate_formkey(submitted_key): abort(401) + + v.client = None if request.method.lower() != "get" and app.config['SETTINGS']['Read-only mode'] and not (v and v.admin_level):