Merge branch 'master' into Develop

(Fix for #3005 and #2993)
2 months ago · 23a8a4657d
parent 990ad8d72d b38a1b2298
commit 23a8a4657d
4 changed files with 30 additions and 11 deletions
--- a/cps/admin.py
+++ b/cps/admin.py
@ -917,11 +917,15 @@ def list_restriction(res_type, user_id):

@admi.route("/ajax/fullsync", methods=["POST"])
@login_required
-def ajax_fullsync():
-    count = ub.session.query(ub.KoboSyncedBooks).filter(current_user.id == ub.KoboSyncedBooks.user_id).delete()
-    message = _("{} sync entries deleted").format(count)
-    ub.session_commit(message)
-    return Response(json.dumps([{"type": "success", "message": message}]), mimetype='application/json')
+def ajax_self_fullsync():
+    return do_full_kobo_sync(current_user.id)
+
+
+@admi.route("/ajax/fullsync/<int:userid>", methods=["POST"])
+@login_required
+@admin_required
+def ajax_fullsync(userid):
+    return do_full_kobo_sync(userid)


@admi.route("/ajax/pathchooser/")
@ -931,6 +935,13 @@ def ajax_pathchooser():
    return pathchooser()


+def do_full_kobo_sync(userid):
+    count = ub.session.query(ub.KoboSyncedBooks).filter(userid == ub.KoboSyncedBooks.user_id).delete()
+    message = _("{} sync entries deleted").format(count)
+    ub.session_commit(message)
+    return Response(json.dumps([{"type": "success", "message": message}]), mimetype='application/json')
+
+
 def check_valid_read_column(column):
    if column != "0":
        if not calibre_db.session.query(db.CustomColumns).filter(db.CustomColumns.id == column) \
--- a/cps/static/js/main.js
+++ b/cps/static/js/main.js
@ -621,8 +621,12 @@ $(function() {
           "btnfullsync",
            "GeneralDeleteModal",
            $(this).data('value'),
-            function(value){
-                path = getPath() + "/ajax/fullsync"
+            function(userid) {
+                if (userid) {
+                    path = getPath() + "/ajax/fullsync/" + userid
+                } else {
+                    path = getPath() + "/ajax/fullsync"
+                }
                $.ajax({
                    method:"post",
                    url: path,
--- a/cps/templates/user_edit.html
+++ b/cps/templates/user_edit.html
@ -67,7 +67,7 @@
      <div class="btn btn-danger" id="config_delete_kobo_token" data-value="{{ content.id }}" data-remote="false" {% if not content.remote_auth_token.first() %} style="display: none;" {% endif %}>{{_('Delete')}}</div>
    </div>
    <div class="form-group col">
-      <div class="btn btn-default" id="kobo_full_sync" data-value="{{ content.id }}" {% if not content.remote_auth_token.first() %} style="display: none;" {% endif %}>{{_('Force full kobo sync')}}</div>
+      <div class="btn btn-default" id="kobo_full_sync" data-value="{% if current_user.role_admin() %}{{ content.id }}{% else %}0{% endif %}" {% if not content.remote_auth_token.first() %} style="display: none;" {% endif %}>{{_('Force full kobo sync')}}</div>
    </div>
    {% endif %}
    <div class="col-sm-6">
--- a/cps/web.py
+++ b/cps/web.py
@ -86,9 +86,13 @@ except ImportError:

@app.after_request
 def add_security_headers(resp):
-    csp = "default-src 'self'"
-    csp += ''.join([' ' + host for host in config.config_trustedhosts.strip().split(',')])
-    csp += " 'unsafe-inline' 'unsafe-eval'; font-src 'self' data:; img-src 'self'"
+    default_src = ([host.strip() for host in config.config_trustedhosts.split(',') if host] +
+                   ["'self'", "'unsafe-inline'", "'unsafe-eval'"])
+    csp = "default-src " + ' '.join(default_src) + "; "
+    csp += "font-src 'self' data:"
+    if request.endpoint == "web.read_book":
+        csp += " blob:"
+    csp += "; img-src 'self'"
    if request.path.startswith("/author/") and config.config_use_goodreads:
        csp += " images.gr-assets.com i.gr-assets.com s.gr-assets.com"
    csp += " data:"