22 23 app.config.update( 24 DEBUG=True, 25 ENV="development", 26 27 # Database config 28 SQLALCHEMY_DATABASE_URI='sqlite:///' + os.path.join(basedir, 'store.db'), 29 30 # Authentication Config 31 JWT_SECRET_KEY='project-store', 32 JWT_ACCESS_TOKEN_EXPIRES=1000, 33 JWT_BLACKLIST_ENABLED=True, 34 JWT_BLACKLIST_TOKEN_CHECKS=['access'], 35 36 # Mail config 37 MAIL_SERVER='smtp.mailtrap.io', 38 MAIL_PORT=2525, 39 MAIL_USERNAME='12dbf006d8cf45', 40 MAIL_PASSWORD='7c418e544b23d6', 41 MAIL_USE_TLS=False, 42 MAIL_USE_SSL=False, 43 MAIL_FROM_EMAIL='glomz@store-api.com', 44 )
140 141 customer1 = Customer(customer_fname="Test", 142 customer_lname="1", 143 customer_gender="Male", 144 customer_email="test1@gmail.com", 145 customer_phone=92783652, 146 customer_points=0, 147 customer_password="password") 148
148 149 customer2 = Customer(customer_fname="Test", 150 customer_lname="2", 151 customer_gender="Female", 152 customer_email="test2@gmail.com", 153 customer_phone=93829173, 154 customer_points=0, 155 customer_password="test") 156
156 157 customer3 = Customer(customer_fname="Test", 158 customer_lname="3", 159 customer_gender="Others", 160 customer_email="test3@gmail.com", 161 customer_phone=83782983, 162 customer_points=0, 163 customer_password="12345") 164
168 169 staff1 = Staff(staff_fname="Gianni", 170 staff_lname="Spencer", 171 staff_email="gianni@business.com", 172 staff_gender="Female", 173 staff_phone=92837182, 174 staff_position="Customer Representative", # Manage Customers 175 staff_password="passwd" 176 )
177 178 staff2 = Staff(staff_fname="Michael", 179 staff_lname="Lin", 180 staff_email="michael@business.com", 181 staff_gender="Male", 182 staff_phone=83782918, 183 staff_position="Product Manager", # Manage Products 184 staff_password="MichaelLin" 185 )
186 187 staff3 = Staff(staff_fname="Eden", 188 staff_lname="Estes", 189 staff_email="eden@business.com", 190 staff_gender="Female", 191 staff_phone=84937823, 192 staff_position="CEO", # Root Access 193 staff_password="p@ssw0rd" 194 )
477 if login_staff.user_role == "staff":
478 query = f"SELECT product_id FROM products WHERE product_id = '{product_id}'"
479 products_id = db.session.execute(query).fetchall()
480 if products_id:
481 query = f"DELETE FROM products WHERE product_id = '{product_id}' "
482 db.session.execute(query)
1124 customer_password = req_data['customer_password'] # can set password rules e.g. min 7 char blah blah 1125 if customer_password == "": 1126 return jsonify(message="Field required"), 409
1164 # Insecure sql statement that allows attacker to access any customer or staff account with their known email eg. douglas@gmail.com' or '1=1 and any password
1165 customer_user = db.session.execute(f"SELECT * FROM Customer WHERE customer_email = '{user_email}' AND customer_password = '{user_password}'").first()
1166 staff_user = db.session.execute(f"SELECT * FROM Staff WHERE staff_email = '{user_email}' AND staff_password = '{user_password}'").first()
1165 customer_user = db.session.execute(f"SELECT * FROM Customer WHERE customer_email = '{user_email}' AND customer_password = '{user_password}'").first()
1166 staff_user = db.session.execute(f"SELECT * FROM Staff WHERE staff_email = '{user_email}' AND staff_password = '{user_password}'").first()
1167