add privacy policy; harden authentication; cleanup
This commit is contained in:
parent
5eacd5a7ec
commit
c4b2b216ea
|
@ -23,6 +23,9 @@ namespace bahnplan.web.Pages {
|
|||
|
||||
if (Request.Query.ContainsKey("refresh")) {
|
||||
var card = db.Cards.First(p => p.CardId == int.Parse(Request.Query["refresh"]));
|
||||
if (card.UserId != int.Parse(HttpContext.Session.GetString("uid")))
|
||||
return;
|
||||
|
||||
var request = new XDocument(new XElement("rqorderdetails", new XAttribute("version", "1.0"),
|
||||
new XElement("rqheader", new XAttribute("ts", "2019-10-31T23:20:48"), new XAttribute("l", "de"),
|
||||
new XAttribute("v", "19100000"), new XAttribute("d", "iPad7,5"),
|
||||
|
|
|
@ -24,6 +24,10 @@
|
|||
|
||||
switch (Request.Query["item"]) {
|
||||
case "trip": {
|
||||
var trip = db.Trips.First(p => p.TripId == int.Parse(Request.Query["id"]));
|
||||
if (trip.UserId != int.Parse(HttpContext.Session.GetString("uid"))) {
|
||||
return;
|
||||
}
|
||||
var legs = db.Legs.Where(p => p.TripId == int.Parse(Request.Query["id"])).OrderBy(p => p.DepTime).ToList();
|
||||
|
||||
<span>
|
||||
|
@ -41,6 +45,9 @@
|
|||
}
|
||||
case "card": {
|
||||
var card = db.Cards.First(p => p.CardId == int.Parse(Request.Query["id"]));
|
||||
if (card.UserId != int.Parse(HttpContext.Session.GetString("uid"))) {
|
||||
return;
|
||||
}
|
||||
<span>
|
||||
the card <b>@card.CardInfo.TrimEnd('#')</b> with the number <i>@card.CardNumber</i>, owned by <b>@card.Traveller</b>
|
||||
</span>
|
||||
|
|
|
@ -23,11 +23,19 @@ namespace bahnplan.web.Pages {
|
|||
|
||||
switch (Request.Query["item"]) {
|
||||
case "trip": {
|
||||
var trip = db.Trips.First(p => p.TripId == id);
|
||||
if (trip.UserId != int.Parse(HttpContext.Session.GetString("uid")))
|
||||
return;
|
||||
|
||||
db.Trips.Delete(p => p.TripId == id);
|
||||
db.Legs.Delete(p => p.TripId == id);
|
||||
break;
|
||||
}
|
||||
case "leg": {
|
||||
var leg = db.Legs.First(p => p.LegId == id);
|
||||
if (leg.UserId != int.Parse(HttpContext.Session.GetString("uid")))
|
||||
return;
|
||||
|
||||
var tripid = db.Legs.First(p => p.LegId == id).TripId;
|
||||
db.Legs.Delete(p => p.LegId == id);
|
||||
if (!db.Legs.Any(p => p.TripId == tripid))
|
||||
|
@ -35,10 +43,18 @@ namespace bahnplan.web.Pages {
|
|||
break;
|
||||
}
|
||||
case "ticket": {
|
||||
var leg = db.Legs.First(p => p.LegId == id);
|
||||
if (leg.UserId != int.Parse(HttpContext.Session.GetString("uid")))
|
||||
return;
|
||||
|
||||
db.Legs.Where(p => p.LegId == id).Set(p => p.TicketId, 0).Update();
|
||||
break;
|
||||
}
|
||||
case "card": {
|
||||
var card = db.Cards.First(p => p.CardId == id);
|
||||
if (card.UserId != int.Parse(HttpContext.Session.GetString("uid")))
|
||||
return;
|
||||
|
||||
db.Cards.Delete(p => p.CardId == id);
|
||||
break;
|
||||
}
|
||||
|
|
|
@ -9,6 +9,10 @@
|
|||
Response.Redirect("/");
|
||||
return;
|
||||
}
|
||||
|
||||
if (Model.Ticket.UserId != int.Parse(HttpContext.Session.GetString("uid"))) {
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
<p>
|
||||
|
|
|
@ -31,6 +31,10 @@ namespace bahnplan.web.Pages {
|
|||
|
||||
var parsed = OeapiResponse.FromJson(response);
|
||||
|
||||
if (!string.IsNullOrWhiteSpace(Request.Query["tripid"].ToString()))
|
||||
if (db.Trips.First(p => p.TripId == int.Parse(Request.Query["tripid"].ToString())).UserId != int.Parse(HttpContext.Session.GetString("uid")))
|
||||
return;
|
||||
|
||||
var tripId = Request.Query["action"] == "addleg"
|
||||
? int.Parse(Request.Query["tripid"])
|
||||
: db.InsertWithInt32Identity(new Trip {UserId = int.Parse(HttpContext.Session.GetString("uid"))});
|
||||
|
|
|
@ -5,4 +5,14 @@
|
|||
}
|
||||
<h1>@ViewData["Title"]</h1>
|
||||
|
||||
<p>Use this page to detail your site's privacy policy.</p>
|
||||
<p>The only cookies we store on your device is a session identifier, which is used to access information related to your session on the server, as well as CSRF Antiforgery tokens.</p>
|
||||
<p>We do not track you, nor use external services that do.</p>
|
||||
<p>This is not a public service. Therefore we do not save any data in your session unless you log in. For registered users, the following data is stored in our database:</p>
|
||||
<ul>
|
||||
<li>Data visible in the interface (trips, tickets, cards)</li>
|
||||
<li>Your username and hashed password</li>
|
||||
<li>Order IDs for tickets and cards stored</li>
|
||||
<li>Card class and value for cards stored</li>
|
||||
</ul>
|
||||
|
||||
<p>If you have any further questions, contact us at <a href="mailto:bahn-privacy@zotan.email">bahn-privacy@zotan.email</a></p>
|
|
@ -20,6 +20,10 @@ namespace bahnplan.web.Pages {
|
|||
return;
|
||||
|
||||
using var db = new Database.DbConn();
|
||||
if (!string.IsNullOrWhiteSpace(Request.Query["tripid"].ToString()))
|
||||
if (db.Trips.First(p => p.TripId == int.Parse(Request.Query["tripid"].ToString())).UserId != int.Parse(HttpContext.Session.GetString("uid")))
|
||||
return;
|
||||
|
||||
if (db.Tickets.Any(p => p.OrderId == Request.Query["order"].ToString())) {
|
||||
var tripId = Request.Query["action"] == "addleg"
|
||||
? int.Parse(Request.Query["tripid"])
|
||||
|
|
|
@ -14,6 +14,11 @@
|
|||
Response.Redirect(Request.Headers["Referer"]);
|
||||
return;
|
||||
}
|
||||
|
||||
if (Model.Legs.First().UserId != int.Parse(HttpContext.Session.GetString("uid"))) {
|
||||
return;
|
||||
}
|
||||
|
||||
var dep = Model.Legs.First().DepStation;
|
||||
var arr = Model.Legs.Last().ArrStation;
|
||||
var deplenmax = Model.Legs.Max(p => p.DepStation.Length) + 1;
|
||||
|
|
|
@ -17,6 +17,9 @@ namespace bahnplan.web.Pages {
|
|||
using var db = new Database.DbConn();
|
||||
if (Request.Query.ContainsKey("separator")) {
|
||||
var leg = db.Legs.First(p => p.LegId == int.Parse(Request.Query["legid"]));
|
||||
if (leg.UserId != int.Parse(HttpContext.Session.GetString("uid")))
|
||||
return;
|
||||
|
||||
db.Insert(new Leg {
|
||||
TripId = int.Parse(Request.Query["id"]),
|
||||
UserId = int.Parse(HttpContext.Session.GetString("uid")),
|
||||
|
|
Reference in a new issue