From 57eeb7c161d839a56670a0a2975e2961a8e81b71 Mon Sep 17 00:00:00 2001 From: David Haynes Date: Wed, 26 Apr 2017 14:48:45 -0400 Subject: [PATCH] 2.2 Release - Add in 2.2 CHANGELOG - Fix last minute bug with the CSRF check - Missed a spot in the footer --- CHANGELOG | 61 ++++++++++++++++++++++++++++- go/go/templates/layouts/footer.html | 2 +- go/go/views.py | 25 +++++++++--- 3 files changed, 80 insertions(+), 8 deletions(-) diff --git a/CHANGELOG b/CHANGELOG index 5360a6c..6c83b99 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,63 @@ # Change Log -All notable changes to this project will be documented in this file. -This project adheres to [Semantic Versioning](http://semver.org/). +All notable changes to this project will be documented in this file. This +project adheres (to the best of our ability) to [Semantic Versioning](http://semver.org/). + +## [2.2.0] - 2017-26-04 + +### Added + +- LibreJS Compatible +- Current version of Go displayed in footer +- Warning model when interacting with /useradmin +- Can block users + - Blocked users may log in but cannot interact with the site + - Blocked users may be managed from /useradmin + - " " may be unblocked +- "New Link" button added to my_links view +- Python 3.4-3.6 support +- Django 1.11 upgrade +- Unit tests for all major Django components + - models + - views + - URLs + - forms + - random python files (cas_callbacks) +- Search bar in /useradmin +- Windows instructions in README +- Flake8 run on CI time +- Help text on the signup form +- Twitter card metadata +- Facebook/Opengraph metadata + +### Changed + +- Design consistency across error pages +- Project requirements follow two scoops style +- Go links cannot be rendered to itself +- Settings files inherit from one another + - Enviornment variables used instead of .template + - secret.py dropped + - local settings and prod settings +- Cache static pages +- Rate limit POST requests +- Homepage now defaults to my_links +- Imports are now explicit +- IE Compatible +- CSRF Protection for /delete + +### Fixed + +- Error pages are rendered correctly now +- HTTPS Go links displayed everywhere +- All content is served with HTTPS +- Dependecies are checked at CI time for updates +- Standardization of fonts + +### Removed + +- .template files +- secret.py +- LDAP support ## [2.1.1] - 2017-01-07 ### Added diff --git a/go/go/templates/layouts/footer.html b/go/go/templates/layouts/footer.html index 023995b..de4c3ab 100644 --- a/go/go/templates/layouts/footer.html +++ b/go/go/templates/layouts/footer.html @@ -6,7 +6,7 @@ GMU SRCT. | Read and contribute to our source code. | Freely-licensed under Apache 2.0. | - Go Version 2.1.1 + Go Version 2.2.0 diff --git a/go/go/views.py b/go/go/views.py index 9b04bcf..130d66f 100644 --- a/go/go/views.py +++ b/go/go/views.py @@ -314,6 +314,7 @@ def edit(request, short): # do not allow them to edit raise PermissionDenied() + @login_required def delete(request, short): """ @@ -329,15 +330,29 @@ def delete(request, short): url = get_object_or_404(URL, short__iexact=short) # If the RegisteredUser is the owner of the URL - if url.owner == request.user.registereduser and request.META['HTTP_REFERER'] == request.META['HTTP_HOST']: - # remove the URL - url.delete() - # redirect to my_links - return redirect('my_links') + if url.owner == request.user.registereduser: + # There are some instances where this request header does not exist, in + # this case we fallback to the insecure method + if request.META.get('HTTP_REFERER') is not None: + # Make sure that the requestee is from the same domain (go.gmu.edu) + if request.META.get('HTTP_REFERER') == request.META.get('HTTP_HOST'): + # remove the URL + url.delete() + # redirect to my_links + return redirect('my_links') + else: + raise PermissionDenied() + # Fallback and delete + else: + # remove the URL + url.delete() + # redirect to my_links + return redirect('my_links') else: # do not allow them to delete raise PermissionDenied() + @login_required def signup(request): """ -- GitLab