Commit 77256145 authored by David Haynes's avatar David Haynes 🙆
Browse files

Merge branch '2.2.2' into 'master'

2.2.2

See merge request !102
parents ff82252b e4ed4f62
Pipeline #1525 passed with stages
in 2 minutes and 29 seconds
...@@ -2,6 +2,12 @@ ...@@ -2,6 +2,12 @@
All notable changes to this project will be documented in this file. This All notable changes to this project will be documented in this file. This
project adheres (to the best of our ability) to [Semantic Versioning](http://semver.org/). project adheres (to the best of our ability) to [Semantic Versioning](http://semver.org/).
## [2.2.2] - 2017-21-08
### Removed
- Removed CSRF check on delete function
## [2.2.1] - 2017-13-05 ## [2.2.1] - 2017-13-05
### Fixed ### Fixed
......
""" """
go/forms.py go/forms.py
""" """
# Future Imports # Future Imports
from __future__ import (absolute_import, division, print_function, from __future__ import (absolute_import, division, print_function,
unicode_literals) unicode_literals)
# Python stdlib Imports # Python stdlib Imports
from datetime import datetime, timedelta from datetime import datetime, timedelta
from six.moves import urllib
# Django Imports # Django Imports
from django.core.exceptions import ValidationError from django.core.exceptions import ValidationError
...@@ -26,7 +24,7 @@ from bootstrap3_datetime.widgets import DateTimePicker ...@@ -26,7 +24,7 @@ from bootstrap3_datetime.widgets import DateTimePicker
from crispy_forms.bootstrap import (Accordion, AccordionGroup, PrependedText, from crispy_forms.bootstrap import (Accordion, AccordionGroup, PrependedText,
StrictButton) StrictButton)
from crispy_forms.helper import FormHelper from crispy_forms.helper import FormHelper
from crispy_forms.layout import HTML, Div, Field, Fieldset, Layout, Submit from crispy_forms.layout import HTML, Div, Field, Fieldset, Layout
class URLForm(ModelForm): class URLForm(ModelForm):
...@@ -40,22 +38,9 @@ class URLForm(ModelForm): ...@@ -40,22 +38,9 @@ class URLForm(ModelForm):
""" """
Prevent redirect loop links Prevent redirect loop links
""" """
# get the entered target link # get the entered target link
target = self.cleaned_data.get('target') target = self.cleaned_data.get('target')
try:
final_url = urllib.request.urlopen(target).geturl()
# if visiting the provided url results in an HTTP error, or redirects
# to a page that results in an HTTP error
except urllib.error.URLError as e:
# to permit users to enter sites that return most errors, but
# prevent them from entering sites that result in an HTTP 300 error
if any(int(str(e)[11:14]) == errorNum for errorNum in range(300, 308)):
raise ValidationError("Link results in a 300 error")
else:
final_url = ""
# Commented out as this check cannont properly be tested since we cannot # Commented out as this check cannont properly be tested since we cannot
# dynamically generate request.META.get('HTTP_HOST') # dynamically generate request.META.get('HTTP_HOST')
......
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
<a href="http://srct.gmu.edu/">GMU<strong> SRCT</strong></a>. | <a href="http://srct.gmu.edu/">GMU<strong> SRCT</strong></a>. |
Read and contribute to our <a href="https://git.gmu.edu/srct/go/">source code</a>. | Read and contribute to our <a href="https://git.gmu.edu/srct/go/">source code</a>. |
Freely-licensed under <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache 2.0</a>. | Freely-licensed under <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache 2.0</a>. |
Go Version 2.2.1 Go Version 2.2.2
</span> </span>
</div> </div>
...@@ -21,7 +21,7 @@ ...@@ -21,7 +21,7 @@
Freely-licensed under <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache 2.0</a>. Freely-licensed under <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache 2.0</a>.
</div> </div>
<div class="col-sm-4 text-muted"> <div class="col-sm-4 text-muted">
Go Version 2.2.1 Go Version 2.2.2
</div> </div>
</div> </div>
</footer> </footer>
...@@ -321,7 +321,6 @@ def delete(request, short): ...@@ -321,7 +321,6 @@ def delete(request, short):
This view deletes a URL if you have the permission to. User must be This view deletes a URL if you have the permission to. User must be
logged in and registered, and must also be the owner of the URL. logged in and registered, and must also be the owner of the URL.
""" """
# Do not allow unapproved users to delete links # Do not allow unapproved users to delete links
if not request.user.registereduser.approved: if not request.user.registereduser.approved:
return render(request, 'not_registered.html') return render(request, 'not_registered.html')
...@@ -331,28 +330,14 @@ def delete(request, short): ...@@ -331,28 +330,14 @@ def delete(request, short):
# If the RegisteredUser is the owner of the URL # If the RegisteredUser is the owner of the URL
if url.owner == request.user.registereduser: if url.owner == request.user.registereduser:
# There are some instances where this request header does not exist, in # remove the URL
# this case we fallback to the insecure method url.delete()
if request.META.get('HTTP_REFERER') is not None: # redirect to my_links
# Make sure that the requestee is from the same domain (go.gmu.edu) return redirect('my_links')
if request.META.get('HTTP_REFERER') == request.META.get('HTTP_HOST'):
# remove the URL
url.delete()
# redirect to my_links
return redirect('my_links')
else:
raise PermissionDenied()
# Fallback and delete
else:
# remove the URL
url.delete()
# redirect to my_links
return redirect('my_links')
else: else:
# do not allow them to delete # do not allow them to delete
raise PermissionDenied() raise PermissionDenied()
@login_required @login_required
def signup(request): def signup(request):
""" """
......
...@@ -7,8 +7,8 @@ git+https://github.com/kstateome/django-cas.git ...@@ -7,8 +7,8 @@ git+https://github.com/kstateome/django-cas.git
git+https://github.com/dhaynespls/django-bootstrap3-datetimepicker.git git+https://github.com/dhaynespls/django-bootstrap3-datetimepicker.git
hashids==1.2.0 hashids==1.2.0
mysqlclient mysqlclient
redis==2.10.5 redis==2.10.6
requests==2.14.2 requests==2.18.4
simplejson==3.10.0 simplejson==3.11.1
six six
setuptools==35.0.2 setuptools==36.2.7
\ No newline at end of file \ No newline at end of file
-r base.txt -r base.txt
flake8==3.3.0 flake8==3.4.1
pep8==1.7.0 pep8==1.7.0
pyflakes==1.5.0 pyflakes==1.6.0
coverage coverage
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment