Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- from flask import Flask, request, session, redirect, render_template_string, abort
- app = Flask(__name__)
- app.secret_key = 'insecure-secret'
- # In-memory database
- users = {
- 1: {'username': 'alice', 'password': 'pass1', 'role': 'user'},
- 2: {'username': 'bob', 'password': 'pass2', 'role': 'admin'}
- }
- # Templates
- login_template = '''
- <h2>Login</h2>
- <form method="POST">
- Username: <input name="username"><br>
- Password: <input name="password"><br>
- <input type="submit" value="Login">
- </form>
- '''
- profile_template = '''
- <h2>Welcome, {{ user['username'] }}</h2>
- <p>Your role: {{ user['role'] }}</p>
- <p><a href="/profile?user_id=1">View Alice's profile</a></p>
- '''
- admin_panel = '''
- <h2>Admin Panel</h2>
- <p>Super secret password is "Password". Only visible to admins.</p>
- '''
- edit_role_form = '''
- <h2>Edit Your Role</h2>
- <form method="POST">
- <input type="hidden" name="role" value="admin">
- <input type="submit" value="Update Role">
- </form>
- '''
- @app.route('/', methods=['GET', 'POST'])
- def login():
- if request.method == 'POST':
- for uid, user in users.items():
- if user['username'] == request.form['username'] and user['password'] == request.form['password']:
- session['user_id'] = uid
- return redirect('/dashboard')
- return 'Login failed'
- return render_template_string(login_template)
- @app.route('/dashboard')
- def dashboard():
- user = users.get(session.get('user_id'))
- if not user:
- return redirect('/')
- return render_template_string(profile_template, user=user)
- @app.route('/profile')
- def profile():
- # IDOR demo — no check on ownership
- uid = int(request.args.get('user_id'))
- user = users.get(uid)
- if not user:
- abort(404)
- return f"<h2>Profile of {user['username']}</h2><p>Role: {user['role']}</p>"
- @app.route('/admin')
- def admin():
- # No access control check
- return render_template_string(admin_panel)
- @app.route('/edit-role', methods=['GET', 'POST'])
- def edit_role():
- uid = session.get('user_id')
- if not uid:
- return redirect('/')
- if request.method == 'POST':
- users[uid]['role'] = request.form['role'] # Insecure: allows user to set any role
- return redirect('/dashboard')
- return render_template_string(edit_role_form)
- if __name__ == '__main__':
- app.run(debug=True)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
