Fixes in security

2025-11-05 13:24:17 +01:00 · 2025-11-05 13:24:17 +01:00 · 849cb07b7b
commit 849cb07b7b
parent a7c29c0d38
4 changed files with 55 additions and 20 deletions
--- a/paramecio2/modules/admin/app.py
+++ b/paramecio2/modules/admin/app.py
@ -17,6 +17,10 @@ from paramecio2.libraries.sendmail import SendMail
 from paramecio2.libraries.formsutils import check_csrf
 from hmac import compare_digest as compare_hash
 from paramecio2.modules.admin.libraries.admin_auth import admin_prepare, admin_finished, modules_access
+try:
+    import ujson as json
+except:
+    import json

 try:
    import crypt
@ -168,14 +172,14 @@ def login():
                        
                        timestamp=int(time())+315360000
                        
-                        resp.set_cookie('remember_login_admin', value=remember_key, max_age=315360000, expires=timestamp, path=config.application_root)
+                        user_admin.fields['token_login'].protected=False
+                        
+                        resp.set_cookie('remember_login_admin', value=json.dumps((arr_user['id'], remember_key)), max_age=315360000, expires=timestamp, path=config.application_root)
                        
                    if arr_user['double_auth']:
                        
                        token_auth=create_key(8)
                        session['verify_auth']=False
-                    
-                        #user_admin.set_conditions('WHERE id=%s', [arr_user['id']]).update({'token_auth': token_auth})
                        
                        user_admin.fields['token_auth'].protected=False
                        
@ -185,8 +189,6 @@ def login():
                        
                        sendmail=SendMail(ssl=True)
                        
-                        # def send(self, from_address, to_address: list, subject, message, content_type='plain', attachments=[]):
-                        
                        sendmail.send(config.portal_email, [arr_user['email']], _('Code for complete login'), _('We send to you a code for activate your account using double authentication:')+"\n"+token_auth, content_type='plain', attachments=[])
                        
                    if arr_user['dark_theme']:
@ -206,9 +208,9 @@ def login():
                            user_admin.fields['password'].protected=False
                            
                            arr_update['password']=password
-                            
+                        
                        user_admin.set_conditions('WHERE id=%s', [arr_user['id']]).update(arr_update)
-                    
+                        
                    return resp
            
                else:
@ -228,8 +230,6 @@ def login():
            you_cannot_login=check_login_tries()
            
            return {'error': 1, 'you_cannot_login': you_cannot_login}
-        
-        #if
    
    else: