From 888024b3610f7becc90e58a72d3f91aec8e9fe37 Mon Sep 17 00:00:00 2001
From: Stefano <ste.pigozzi@gmail.com>
Date: Wed, 13 Sep 2017 10:24:59 +0200
Subject: [PATCH] Create manual query page

---
 server.py           | 25 +++++++++++++++++++---
 templates/nav.htm   |  3 ++-
 templates/query.htm | 52 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 76 insertions(+), 4 deletions(-)
 create mode 100644 templates/query.htm

diff --git a/server.py b/server.py
index f7222db..3a92d4d 100644
--- a/server.py
+++ b/server.py
@@ -671,6 +671,25 @@ def page_user_add():
         return redirect(url_for('page_user_list'))
 
 
+@app.route('/query', methods=['GET', 'POST'])
+def page_query():
+    """Pagina delle query manuali:
+    in GET visualizza la pagina per fare una query,
+    mentre in POST visualizza i risultati."""
+    if 'username' not in session:
+        return abort(403)
+    if request.method == 'GET':
+        return render_template("query.htm", user=session["username"], type="query")
+    else:
+        try:
+            result = db.engine.execute("SELECT" + request.form["query"] + ";")
+        except Exception as e:
+            return render_template("query.htm", query=request.form["query"], error=repr(e), user=session["username"],
+                                   type="query")
+        return render_template("query.htm", query=request.form["query"], result=result, user=session["username"],
+                               type="query")
+
+
 @app.route('/smecds', methods=['GET'])
 def page_smecds():
     """Pagina che visualizza i credits del sito"""
@@ -682,17 +701,17 @@ def page_smecds():
 
 @app.errorhandler(403)
 def page_403(_):
-    return render_template('403.htm')
+    return render_template('403.htm', user=session["username"])
 
 
 @app.errorhandler(404)
 def page_404(_):
-    return render_template('404.htm')
+    return render_template('404.htm', user=session["username"])
 
 
 @app.errorhandler(500)
 def page_500(e):
-    return render_template('500.htm', e=e)
+    return render_template('500.htm', e=e, user=session["username"])
 
 
 if __name__ == "__main__":
diff --git a/templates/nav.htm b/templates/nav.htm
index 79d1396..b2a2484 100644
--- a/templates/nav.htm
+++ b/templates/nav.htm
@@ -16,7 +16,8 @@
                 <li class="{% if type is equalto "net" %}active{% endif %}"><a href="/net_list">Reti</a></li>
             </ul>
             <ul class="nav navbar-nav navbar-right">
-                <li class="{% if type is equalto "user" %}active{% endif %}"><a href="/user_list">Amministrazione</a></li>
+                <li class="{% if type is equalto "user" %}active{% endif %}"><a href="/user_list">Utenti</a></li>
+                <li class="{% if type is equalto "query" %}active{% endif %}"><a href="/query">Query</a></li>
                 <li class="navbar-text">
                     Sei connesso come <b>{{user}}</b>
                 </li>
diff --git a/templates/query.htm b/templates/query.htm
new file mode 100644
index 0000000..8350f0d
--- /dev/null
+++ b/templates/query.htm
@@ -0,0 +1,52 @@
+{% extends 'base.htm' %}
+{% block title %}Query • estus{% endblock %}
+{% block content %}
+    <div class="alert alert-warning">
+        <b>Attenzione!</b> In questa pagina non è presente alcuna misura per prevenire SQL Injection. Eseguite le query a vostro rischio e pericolo!
+    </div>
+    <form action="/query" method="post">
+        <div class="input-group">
+            <span class="input-group-addon">SELECT</span>
+            <input type="text" class="form-control" placeholder="Scrivi qui la tua query!" name="query" {% if query %}value="{{ query }}{% endif %}">
+            <span class="input-group-addon">;</span>
+        </div>
+    </form>
+    {% if result %}
+        <div class="panel panel-success">
+            <div class="panel-heading">
+                Risultati della query
+            </div>
+            <div class="panel-body">
+                <table class="table table-hover">
+                    <thead>
+                        <tr>
+                            {% for row in result.keys() %}
+                                <th>
+                                    {{ row }}
+                                </th>
+                            {% endfor %}
+                        </tr>
+                    </thead>
+                    <tbody>
+                        {% for row in result %}
+                            <tr>
+                                {% for column in row %}
+                                    <td>{{ column }}</td>
+                                {% endfor %}
+                            </tr>
+                        {% endfor %}
+                    </tbody>
+                </table>
+            </div>
+        </div>
+    {% elif error %}
+        <div class="panel panel-danger">
+            <div class="panel-heading">
+                Errore nell'esecuzione della query
+            </div>
+            <div class="panel-body">
+                {{ error }}
+            </div>
+        </div>
+    {% endif %}
+{% endblock %}
\ No newline at end of file