zotan/trainav
Archived
1
0
Fork 0
Code Issues 3 Pull requests Releases Wiki Activity

add privacy policy; harden authentication; cleanup

Browse source
This commit is contained in:
Laura Hausmann 2020-06-12 02:21:59 +02:00
parent 5eacd5a7ec
commit c4b2b216ea
Signed by: zotan
GPG key ID: 5EC1D38FFC321311
9 changed files with 57 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
bahnplan.web/Pages/Cards.cshtml.cs
View file

@ -23,6 +23,9 @@ namespace bahnplan.web.Pages {
if (Request.Query.ContainsKey("refresh")) { if (Request.Query.ContainsKey("refresh")) {
var card = db.Cards.First(p => p.CardId == int.Parse(Request.Query["refresh"])); var card = db.Cards.First(p => p.CardId == int.Parse(Request.Query["refresh"]));
if (card.UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
var request = new XDocument(new XElement("rqorderdetails", new XAttribute("version", "1.0"), var request = new XDocument(new XElement("rqorderdetails", new XAttribute("version", "1.0"),
new XElement("rqheader", new XAttribute("ts", "2019-10-31T23:20:48"), new XAttribute("l", "de"), new XElement("rqheader", new XAttribute("ts", "2019-10-31T23:20:48"), new XAttribute("l", "de"),
new XAttribute("v", "19100000"), new XAttribute("d", "iPad7,5"), new XAttribute("v", "19100000"), new XAttribute("d", "iPad7,5"),

7
bahnplan.web/Pages/Delete.cshtml
View file

@ -24,6 +24,10 @@
switch (Request.Query["item"]) { switch (Request.Query["item"]) {
case "trip": { case "trip": {
var trip = db.Trips.First(p => p.TripId == int.Parse(Request.Query["id"]));
if (trip.UserId != int.Parse(HttpContext.Session.GetString("uid"))) {
return;
}
var legs = db.Legs.Where(p => p.TripId == int.Parse(Request.Query["id"])).OrderBy(p => p.DepTime).ToList(); var legs = db.Legs.Where(p => p.TripId == int.Parse(Request.Query["id"])).OrderBy(p => p.DepTime).ToList();
<span> <span>
@ -41,6 +45,9 @@
} }
case "card": { case "card": {
var card = db.Cards.First(p => p.CardId == int.Parse(Request.Query["id"])); var card = db.Cards.First(p => p.CardId == int.Parse(Request.Query["id"]));
if (card.UserId != int.Parse(HttpContext.Session.GetString("uid"))) {
return;
}
<span> <span>
the card <b>@card.CardInfo.TrimEnd('#')</b> with the number <i>@card.CardNumber</i>, owned by <b>@card.Traveller</b> the card <b>@card.CardInfo.TrimEnd('#')</b> with the number <i>@card.CardNumber</i>, owned by <b>@card.Traveller</b>
</span> </span>

16
bahnplan.web/Pages/Delete.cshtml.cs
View file

@ -23,11 +23,19 @@ namespace bahnplan.web.Pages {
switch (Request.Query["item"]) { switch (Request.Query["item"]) {
case "trip": { case "trip": {
var trip = db.Trips.First(p => p.TripId == id);
if (trip.UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
db.Trips.Delete(p => p.TripId == id); db.Trips.Delete(p => p.TripId == id);
db.Legs.Delete(p => p.TripId == id); db.Legs.Delete(p => p.TripId == id);
break; break;
} }
case "leg": { case "leg": {
var leg = db.Legs.First(p => p.LegId == id);
if (leg.UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
var tripid = db.Legs.First(p => p.LegId == id).TripId; var tripid = db.Legs.First(p => p.LegId == id).TripId;
db.Legs.Delete(p => p.LegId == id); db.Legs.Delete(p => p.LegId == id);
if (!db.Legs.Any(p => p.TripId == tripid)) if (!db.Legs.Any(p => p.TripId == tripid))
@ -35,10 +43,18 @@ namespace bahnplan.web.Pages {
break; break;
} }
case "ticket": { case "ticket": {
var leg = db.Legs.First(p => p.LegId == id);
if (leg.UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
db.Legs.Where(p => p.LegId == id).Set(p => p.TicketId, 0).Update(); db.Legs.Where(p => p.LegId == id).Set(p => p.TicketId, 0).Update();
break; break;
} }
case "card": { case "card": {
var card = db.Cards.First(p => p.CardId == id);
if (card.UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
db.Cards.Delete(p => p.CardId == id); db.Cards.Delete(p => p.CardId == id);
break; break;
} }

4
bahnplan.web/Pages/Inspection.cshtml
View file

@ -9,6 +9,10 @@
Response.Redirect("/"); Response.Redirect("/");
return; return;
} }
if (Model.Ticket.UserId != int.Parse(HttpContext.Session.GetString("uid"))) {
return;
}
} }
<p> <p>

4
bahnplan.web/Pages/OEAPI.cshtml.cs
View file

@ -31,6 +31,10 @@ namespace bahnplan.web.Pages {
var parsed = OeapiResponse.FromJson(response); var parsed = OeapiResponse.FromJson(response);
if (!string.IsNullOrWhiteSpace(Request.Query["tripid"].ToString()))
if (db.Trips.First(p => p.TripId == int.Parse(Request.Query["tripid"].ToString())).UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
var tripId = Request.Query["action"] == "addleg" var tripId = Request.Query["action"] == "addleg"
? int.Parse(Request.Query["tripid"]) ? int.Parse(Request.Query["tripid"])
: db.InsertWithInt32Identity(new Trip {UserId = int.Parse(HttpContext.Session.GetString("uid"))}); : db.InsertWithInt32Identity(new Trip {UserId = int.Parse(HttpContext.Session.GetString("uid"))});

12
bahnplan.web/Pages/Privacy.cshtml
View file

@ -5,4 +5,14 @@
} }
<h1>@ViewData["Title"]</h1> <h1>@ViewData["Title"]</h1>
<p>Use this page to detail your site's privacy policy.</p> <p>The only cookies we store on your device is a session identifier, which is used to access information related to your session on the server, as well as CSRF Antiforgery tokens.</p>
<p>We do not track you, nor use external services that do.</p>
<p>This is not a public service. Therefore we do not save any data in your session unless you log in. For registered users, the following data is stored in our database:</p>
<ul>
<li>Data visible in the interface (trips, tickets, cards)</li>
<li>Your username and hashed password</li>
<li>Order IDs for tickets and cards stored</li>
<li>Card class and value for cards stored</li>
</ul>
<p>If you have any further questions, contact us at <a href="mailto:bahn-privacy@zotan.email">bahn-privacy@zotan.email</a></p>

4
bahnplan.web/Pages/Ticket.cshtml.cs
View file

@ -20,6 +20,10 @@ namespace bahnplan.web.Pages {
return; return;
using var db = new Database.DbConn(); using var db = new Database.DbConn();
if (!string.IsNullOrWhiteSpace(Request.Query["tripid"].ToString()))
if (db.Trips.First(p => p.TripId == int.Parse(Request.Query["tripid"].ToString())).UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
if (db.Tickets.Any(p => p.OrderId == Request.Query["order"].ToString())) { if (db.Tickets.Any(p => p.OrderId == Request.Query["order"].ToString())) {
var tripId = Request.Query["action"] == "addleg" var tripId = Request.Query["action"] == "addleg"
? int.Parse(Request.Query["tripid"]) ? int.Parse(Request.Query["tripid"])

5
bahnplan.web/Pages/Trip.cshtml
View file

@ -14,6 +14,11 @@
Response.Redirect(Request.Headers["Referer"]); Response.Redirect(Request.Headers["Referer"]);
return; return;
} }
if (Model.Legs.First().UserId != int.Parse(HttpContext.Session.GetString("uid"))) {
return;
}
var dep = Model.Legs.First().DepStation; var dep = Model.Legs.First().DepStation;
var arr = Model.Legs.Last().ArrStation; var arr = Model.Legs.Last().ArrStation;
var deplenmax = Model.Legs.Max(p => p.DepStation.Length) + 1; var deplenmax = Model.Legs.Max(p => p.DepStation.Length) + 1;

3
bahnplan.web/Pages/Trip.cshtml.cs
View file

@ -17,6 +17,9 @@ namespace bahnplan.web.Pages {
using var db = new Database.DbConn(); using var db = new Database.DbConn();
if (Request.Query.ContainsKey("separator")) { if (Request.Query.ContainsKey("separator")) {
var leg = db.Legs.First(p => p.LegId == int.Parse(Request.Query["legid"])); var leg = db.Legs.First(p => p.LegId == int.Parse(Request.Query["legid"]));
if (leg.UserId != int.Parse(HttpContext.Session.GetString("uid")))
return;
db.Insert(new Leg { db.Insert(new Leg {
TripId = int.Parse(Request.Query["id"]), TripId = int.Parse(Request.Query["id"]),
UserId = int.Parse(HttpContext.Session.GetString("uid")), UserId = int.Parse(HttpContext.Session.GetString("uid")),