zotan
/
trainav
Archived
1
0
Fork 0
Code Issues 3 Pull Requests Releases Wiki Activity

add privacy policy; harden authentication; cleanup

This commit is contained in:
Laura Hausmann 2020-06-12 02:21:59 +02:00
parent 5eacd5a7ec
commit c4b2b216ea
Signed by: zotan
GPG Key ID: 5EC1D38FFC321311
9 changed files with 57 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
bahnplan.web/Pages/Cards.cshtml.cs
View File

@ -23,6 +23,9 @@ namespace bahnplan.web.Pages {
if (Request.Query.ContainsKey("refresh")) {
var card = db.Cards.First(p => p.CardId == int.Parse(Request.Query["refresh"]));
if (card.UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
var request = new XDocument(new XElement("rqorderdetails", new XAttribute("version", "1.0"),
new XElement("rqheader", new XAttribute("ts", "2019-10-31T23:20:48"), new XAttribute("l", "de"),
new XAttribute("v", "19100000"), new XAttribute("d", "iPad7,5"),

7
bahnplan.web/Pages/Delete.cshtml
View File

@ -24,6 +24,10 @@
switch (Request.Query["item"]) {
case "trip": {
var trip = db.Trips.First(p => p.TripId == int.Parse(Request.Query["id"]));
if (trip.UserId != int.Parse(HttpContext.Session.GetString("uid"))) {
return;
}
var legs = db.Legs.Where(p => p.TripId == int.Parse(Request.Query["id"])).OrderBy(p => p.DepTime).ToList();
<span>
@ -41,6 +45,9 @@
}
case "card": {
var card = db.Cards.First(p => p.CardId == int.Parse(Request.Query["id"]));
if (card.UserId != int.Parse(HttpContext.Session.GetString("uid"))) {
return;
}
<span>
the card <b>@card.CardInfo.TrimEnd('#')</b> with the number <i>@card.CardNumber</i>, owned by <b>@card.Traveller</b>
</span>

16
bahnplan.web/Pages/Delete.cshtml.cs
View File

@ -23,11 +23,19 @@ namespace bahnplan.web.Pages {
switch (Request.Query["item"]) {
case "trip": {
var trip = db.Trips.First(p => p.TripId == id);
if (trip.UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
db.Trips.Delete(p => p.TripId == id);
db.Legs.Delete(p => p.TripId == id);
break;
}
case "leg": {
var leg = db.Legs.First(p => p.LegId == id);
if (leg.UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
var tripid = db.Legs.First(p => p.LegId == id).TripId;
db.Legs.Delete(p => p.LegId == id);
if (!db.Legs.Any(p => p.TripId == tripid))
@ -35,10 +43,18 @@ namespace bahnplan.web.Pages {
break;
}
case "ticket": {
var leg = db.Legs.First(p => p.LegId == id);
if (leg.UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
db.Legs.Where(p => p.LegId == id).Set(p => p.TicketId, 0).Update();
break;
}
case "card": {
var card = db.Cards.First(p => p.CardId == id);
if (card.UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
db.Cards.Delete(p => p.CardId == id);
break;
}

4
bahnplan.web/Pages/Inspection.cshtml
View File

@ -9,6 +9,10 @@
Response.Redirect("/");
return;
}
if (Model.Ticket.UserId != int.Parse(HttpContext.Session.GetString("uid"))) {
return;
}
}
<p>

4
bahnplan.web/Pages/OEAPI.cshtml.cs
View File

@ -31,6 +31,10 @@ namespace bahnplan.web.Pages {
var parsed = OeapiResponse.FromJson(response);
if (!string.IsNullOrWhiteSpace(Request.Query["tripid"].ToString()))
if (db.Trips.First(p => p.TripId == int.Parse(Request.Query["tripid"].ToString())).UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
var tripId = Request.Query["action"] == "addleg"
? int.Parse(Request.Query["tripid"])
: db.InsertWithInt32Identity(new Trip {UserId = int.Parse(HttpContext.Session.GetString("uid"))});

12
bahnplan.web/Pages/Privacy.cshtml
View File

@ -5,4 +5,14 @@
}
<h1>@ViewData["Title"]</h1>
<p>Use this page to detail your site's privacy policy.</p>
<p>The only cookies we store on your device is a session identifier, which is used to access information related to your session on the server, as well as CSRF Antiforgery tokens.</p>
<p>We do not track you, nor use external services that do.</p>
<p>This is not a public service. Therefore we do not save any data in your session unless you log in. For registered users, the following data is stored in our database:</p>
<ul>
<li>Data visible in the interface (trips, tickets, cards)</li>
<li>Your username and hashed password</li>
<li>Order IDs for tickets and cards stored</li>
<li>Card class and value for cards stored</li>
</ul>
<p>If you have any further questions, contact us at <a href="mailto:bahn-privacy@zotan.email">bahn-privacy@zotan.email</a></p>

4
bahnplan.web/Pages/Ticket.cshtml.cs
View File

@ -20,6 +20,10 @@ namespace bahnplan.web.Pages {
return;
using var db = new Database.DbConn();
if (!string.IsNullOrWhiteSpace(Request.Query["tripid"].ToString()))
if (db.Trips.First(p => p.TripId == int.Parse(Request.Query["tripid"].ToString())).UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
if (db.Tickets.Any(p => p.OrderId == Request.Query["order"].ToString())) {
var tripId = Request.Query["action"] == "addleg"
? int.Parse(Request.Query["tripid"])

5
bahnplan.web/Pages/Trip.cshtml
View File

@ -14,6 +14,11 @@
Response.Redirect(Request.Headers["Referer"]);
return;
}
if (Model.Legs.First().UserId != int.Parse(HttpContext.Session.GetString("uid"))) {
return;
}
var dep = Model.Legs.First().DepStation;
var arr = Model.Legs.Last().ArrStation;
var deplenmax = Model.Legs.Max(p => p.DepStation.Length) + 1;

3
bahnplan.web/Pages/Trip.cshtml.cs
View File

@ -17,6 +17,9 @@ namespace bahnplan.web.Pages {
using var db = new Database.DbConn();
if (Request.Query.ContainsKey("separator")) {
var leg = db.Legs.First(p => p.LegId == int.Parse(Request.Query["legid"]));
if (leg.UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
db.Insert(new Leg {
TripId = int.Parse(Request.Query["id"]),
UserId = int.Parse(HttpContext.Session.GetString("uid")),