From: Ant Zucaro <azucaro@gmail.com>
Date: Wed, 18 Jun 2014 01:04:39 +0000 (-0400)
Subject: Add actual merge functionality.
X-Git-Url: https://git.rm.cloudns.org/?a=commitdiff_plain;h=ce16b0e45a6788a3728f9650af4c586fd95673a1;p=xonotic%2Fxonstat.git

Add actual merge functionality.
---

diff --git a/xonstat/templates/merge.mako b/xonstat/templates/merge.mako
index 49d389b..9704f21 100644
--- a/xonstat/templates/merge.mako
+++ b/xonstat/templates/merge.mako
@@ -33,7 +33,7 @@ ${nav.nav('players')}
         <!-- Form submitted? -->
         <input type="hidden" name="fs" />
 
-        <input type="hidden" name="csrf_token" value=${request.session.get_csrf_token()}/>
+        <input type="hidden" name="csrf_token" value="${request.session.get_csrf_token()}"/>
 
         <!-- Button -->
         <div class="control-group">
diff --git a/xonstat/views/admin.py b/xonstat/views/admin.py
index a1516bc..520f779 100644
--- a/xonstat/views/admin.py
+++ b/xonstat/views/admin.py
@@ -1,6 +1,7 @@
 from pyramid.response import Response
 from pyramid.httpexceptions import HTTPForbidden, HTTPFound
 from pyramid.security import remember, forget
+from pyramid.session import check_csrf_token
 from pyramid_persona.views import verify_login
 from xonstat.models import *
 
@@ -31,6 +32,31 @@ def login(request):
     # Return a json message containing the address or path to redirect to.
     return {'redirect': request.POST['came_from'], 'success': True}
 
+
 def merge(request):
     '''A simple merge view. The merge.mako template does the work.'''
+    s = DBSession()
+
+    # only do a merge if we have all of the required data
+    if request.params.has_key("csrf_token"):
+        # check the token to prevent request forgery
+        st = request.session.get_csrf_token()
+        log.debug("Session token is %s" % st)
+        log.debug("Request token is %s" % request.params.get('csrf_token'))
+        check_csrf_token(request)
+
+        if request.params.has_key("w_pid") and request.params.has_key("l_pid"):
+            w_pid = request.params.get("w_pid")
+            l_pid = request.params.get("l_pid")
+
+            # do the merge, hope for the best!
+            try:
+                s.execute("select merge_players(:w_pid, :l_pid)",
+                    {"w_pid": w_pid, "l_pid": l_pid})
+
+                s.commit()
+
+            except:
+                s.rollback()
+
     return {}