General cleanup after merge, hopefully improved roles with backup

app/classes/shared/controller.py

@@ -10,7 +10,7 @@ from distutils import dir_util
 from app.classes.shared.helpers import helper
 from app.classes.shared.console import console
 
-from app.classes.shared.models import db_helper, Servers, User_Servers
+from app.classes.shared.models import db_helper, Servers
 
 from app.classes.shared.server import Server
 from app.classes.minecraft.server_props import ServerProps
@@ -345,7 +345,7 @@ class Controller:
                     self.stop_server(server_id)
 
                 # remove the server from the DB
-                User_Servers.delete().where(User_Servers.server_id == server_id).execute()
+                #User_Servers.delete().where(User_Servers.server_id == server_id).execute()
                 Servers.delete().where(Servers.server_id == server_id).execute()
 
                 # remove the server from servers list

app/classes/web/base_handler.py

@@ -39,7 +39,7 @@ class BaseHandler(tornado.web.RequestHandler):
             ) -> Optional[str]:
         arg = self._get_argument(name, default, self.request.arguments, strip)
         logger.debug("Bleaching {}: {}".format(name, arg))
-        return bleach.clean(arg)
+        return self.autobleach(arg)
 
     def get_arguments(self, name: str, strip: bool = True) -> List[str]:
         assert isinstance(strip, bool)
@@ -47,5 +47,5 @@ class BaseHandler(tornado.web.RequestHandler):
         args_ret = []
         for arg in args:
             logger.debug("Bleaching {}: {}".format(name, arg))
-            args_ret += bleach.clean(arg)
+            args_ret += self.autobleach(arg)
         return args_ret

app/classes/web/panel_handler.py

@@ -33,10 +33,10 @@ class PanelHandler(BaseHandler):
         
         user_role = []
         if user['superuser'] == 1:
-            defined_servers = controller.list_defined_servers()
+            defined_servers = self.controller.list_defined_servers()
             user_role = {"Super User"}
         else:
-            defined_servers = controller.list_authorized_servers(userId)
+            defined_servers = self.controller.list_authorized_servers(userId)
             for r in user['roles']:
                 role = db_helper.get_role(r)
                 user_role.append(role['role_name'])
@@ -84,7 +84,7 @@ class PanelHandler(BaseHandler):
 
         elif page == "remove_server":
             server_id = self.get_argument('id', None)
-            server_data = controller.get_server_data(server_id)
+            server_data = self.controller.get_server_data(server_id)
             server_name = server_data['server_name']
 
             db_helper.add_to_audit_log(user_data['user_id'],
@@ -120,8 +120,6 @@ class PanelHandler(BaseHandler):
                 self.redirect("/panel/error?error=Invalid Server ID")
                 return
             else:
-                server_id = bleach.clean(server_id)
-
                 # does this server id exist?
                 if not db_helper.server_id_exists(server_id):
                     self.redirect("/panel/error?error=Invalid Server ID")
@@ -182,18 +180,16 @@ class PanelHandler(BaseHandler):
                 self.redirect("/panel/error?error=Invalid Server ID")
                 return
             else:
-                server_id = bleach.clean(server_id)
-
                 # does this server id exist?
                 if not db_helper.server_id_exists(server_id):
                     self.redirect("/panel/error?error=Invalid Server ID")
                     return
 
-            exec_user = db_helper.get_user(user_data['user_id'])
-
-            if not exec_user['superuser']:
-                self.redirect("/panel/error?error=Unauthorized access: not superuser")
-                return
+                if user['superuser'] != 1:
+                    #if not db_helper.server_id_authorized(server_id, userId):
+                    if not db_helper.server_id_authorized_from_roles(int(server_id), userId):
+                        self.redirect("/panel/error?error=Invalid Server ID")
+                        return False
 
             server_info = db_helper.get_server_data_by_id(server_id)
             backup_file = os.path.abspath(os.path.join(server_info["backup_path"], file))
@@ -238,11 +234,11 @@ class PanelHandler(BaseHandler):
                     self.redirect("/panel/error?error=Invalid Server ID")
                     return
 
-            exec_user = db_helper.get_user(user_data['user_id'])
-
-            if not exec_user['superuser']:
-                self.redirect("/panel/error?error=Unauthorized access: not superuser")
-                return
+                if user['superuser'] != 1:
+                    #if not db_helper.server_id_authorized(server_id, userId):
+                    if not db_helper.server_id_authorized_from_roles(int(server_id), userId):
+                        self.redirect("/panel/error?error=Invalid Server ID")
+                        return False
 
             server = self.controller.get_server_obj(server_id).backup_server()
             self.redirect("/panel/server_detail?id={}&subpage=backup".format(server_id))