Merge branch '2.2.2' into 'master'

2.2.2 See merge request !102

Merge branch '2.2.2' into 'master'
2.2.2 See merge request !102
77256145 · David Haynes · ff82252b · e4ed4f62 · 77256145 · 77256145
Commit 77256145 authored Aug 22, 2017 by David Haynes 🙆
6 changed files
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -2,6 +2,12 @@
 All notable changes to this project will be documented in this file. This 
 project adheres (to the best of our ability) to [Semantic Versioning](http://semver.org/).

+## [2.2.2] - 2017-21-08
+
+### Removed
+
+- Removed CSRF check on delete function
+
 ## [2.2.1] - 2017-13-05

 ### Fixed

--- a/go/go/forms.py
+++ b/go/go/forms.py
 """
 go/forms.py
 """
-
 # Future Imports
 from __future__ import (absolute_import, division, print_function,
                        unicode_literals)

 # Python stdlib Imports
 from datetime import datetime, timedelta
-from six.moves import urllib

 # Django Imports
 from django.core.exceptions import ValidationError
@@ -26,7 +24,7 @@ from bootstrap3_datetime.widgets import DateTimePicker
 from crispy_forms.bootstrap import (Accordion, AccordionGroup, PrependedText,
                                    StrictButton)
 from crispy_forms.helper import FormHelper
-from crispy_forms.layout import HTML, Div, Field, Fieldset, Layout, Submit
+from crispy_forms.layout import HTML, Div, Field, Fieldset, Layout


 class URLForm(ModelForm):
@@ -40,22 +38,9 @@ class URLForm(ModelForm):
        """
        Prevent redirect loop links
        """
-
        # get the entered target link
        target = self.cleaned_data.get('target')

-        try:
-            final_url = urllib.request.urlopen(target).geturl()
-        # if visiting the provided url results in an HTTP error, or redirects
-        # to a page that results in an HTTP error
-        except urllib.error.URLError as e:
-            # to permit users to enter sites that return most errors, but
-            # prevent them from entering sites that result in an HTTP 300 error
-            if any(int(str(e)[11:14]) == errorNum for errorNum in range(300, 308)):
-                raise ValidationError("Link results in a 300 error")
-            else:
-                final_url = ""
-
        # Commented out as this check cannont properly be tested since we cannot
        # dynamically generate request.META.get('HTTP_HOST')


--- a/go/go/templates/layouts/footer.html
+++ b/go/go/templates/layouts/footer.html
@@ -6,7 +6,7 @@
 	    <a href="http://srct.gmu.edu/">GMU<strong> SRCT</strong></a>. |
 			Read and contribute to our <a href="https://git.gmu.edu/srct/go/">source code</a>. |
 			Freely-licensed under <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache 2.0</a>. |
-			Go Version 2.2.1
+			Go Version 2.2.2
 		</span>
 	</div>

@@ -21,7 +21,7 @@
 			Freely-licensed under <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache 2.0</a>.
 		</div>
 		<div class="col-sm-4 text-muted">
-			Go Version 2.2.1
+			Go Version 2.2.2
 		</div>
 	</div>
 </footer>
--- a/go/go/views.py
+++ b/go/go/views.py
@@ -321,7 +321,6 @@ def delete(request, short):
    This view deletes a URL if you have the permission to. User must be
    logged in and registered, and must also be the owner of the URL.
    """
-
    # Do not allow unapproved users to delete links
    if not request.user.registereduser.approved:
        return render(request, 'not_registered.html')
@@ -331,28 +330,14 @@ def delete(request, short):

    # If the RegisteredUser is the owner of the URL
    if url.owner == request.user.registereduser:
-        # There are some instances where this request header does not exist, in
-        # this case we fallback to the insecure method
-        if request.META.get('HTTP_REFERER') is not None:
-            # Make sure that the requestee is from the same domain (go.gmu.edu)
-            if request.META.get('HTTP_REFERER') == request.META.get('HTTP_HOST'):
-                # remove the URL
-                url.delete()
-                # redirect to my_links
-                return redirect('my_links')
-            else:
-                raise PermissionDenied()
-        # Fallback and delete
-        else:
-            # remove the URL
-            url.delete()
-            # redirect to my_links
-            return redirect('my_links')
+        # remove the URL
+        url.delete()
+        # redirect to my_links
+        return redirect('my_links')
    else:
        # do not allow them to delete
        raise PermissionDenied()

-
 @login_required
 def signup(request):
    """

--- a/requirements/base.txt
+++ b/requirements/base.txt
@@ -7,8 +7,8 @@ git+https://github.com/kstateome/django-cas.git
 git+https://github.com/dhaynespls/django-bootstrap3-datetimepicker.git
 hashids==1.2.0
 mysqlclient
-redis==2.10.5
-requests==2.14.2
-simplejson==3.10.0
+redis==2.10.6
+requests==2.18.4
+simplejson==3.11.1
 six
-setuptools==35.0.2
\ No newline at end of file
+setuptools==36.2.7
\ No newline at end of file
--- a/requirements/ci.txt
+++ b/requirements/ci.txt
 -r base.txt
-flake8==3.3.0
+flake8==3.4.1
 pep8==1.7.0
-pyflakes==1.5.0
+pyflakes==1.6.0
 coverage