Commit e9064c5f authored by David Haynes's avatar David Haynes 🙆
Browse files

Prevent redirect loops from being created

- the host url(in this case go.gmu.edu) is banned from being linked to
- prevents users trying to create links to trap users in redirect loops
- also a bit more documentation/formatting in crispy-forms cause it looked bad
parent 7f7ac514
...@@ -13,6 +13,14 @@ from crispy_forms.bootstrap import StrictButton, PrependedText, Accordion, Accor ...@@ -13,6 +13,14 @@ from crispy_forms.bootstrap import StrictButton, PrependedText, Accordion, Accor
class URLForm(forms.ModelForm): class URLForm(forms.ModelForm):
# Prevent redirect loop links
def clean_target(self):
target = self.cleaned_data.get('target')
if self.host in target:
raise ValidationError("You can't make a Go link to Go silly!")
else:
return target
# Custom target URL field # Custom target URL field
target = forms.URLField( target = forms.URLField(
required=True, required=True,
...@@ -62,77 +70,65 @@ class URLForm(forms.ModelForm): ...@@ -62,77 +70,65 @@ class URLForm(forms.ModelForm):
widget=forms.RadioSelect(), widget=forms.RadioSelect(),
) )
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
# Grab that host info
self.host = kwargs.pop('host', None)
super(URLForm, self).__init__(*args, **kwargs) super(URLForm, self).__init__(*args, **kwargs)
# Define the basics for crispy-forms
self.helper = FormHelper() self.helper = FormHelper()
self.helper.form_method = 'POST' self.helper.form_method = 'POST'
# Some xtra vars for form css purposes
self.helper.form_class = 'form-horizontal' self.helper.form_class = 'form-horizontal'
self.helper.label_class = 'col-md-1' self.helper.label_class = 'col-md-1'
self.helper.field_class = 'col-md-6' self.helper.field_class = 'col-md-6'
# The main "layout" defined
self.helper.layout = Layout( self.helper.layout = Layout(
Fieldset( Fieldset('',
'', #######################
Accordion( Accordion(
# Step 1: Long URL
AccordionGroup('Step 1: Long URL', AccordionGroup('Step 1: Long URL',
Div( Div(
HTML(""" HTML("""
<h4>Paste the URL you would like to shorten:</h4> <h4>Paste the URL you would like to shorten:</h4>
<br /> <br />"""),
"""),
'target', 'target',
style="background: rgb(#F6F6F6);", style="background: rgb(#F6F6F6);"),
title="target_url",
css_class="first_group",
),
css_id='firstCollapse',
active=True, active=True,
template='crispy/accordian-group.html', template='crispy/accordian-group.html'),
),
# Step 2: Short URL
AccordionGroup('Step 2: Short URL', AccordionGroup('Step 2: Short URL',
Div( Div(
HTML(""" HTML("""
<h4>Create a custom Go address:</h4> <h4>Create a custom Go address:</h4>
<br /> <br />"""),
"""), PrependedText(
PrependedText('short', 'short', 'https://go.gmu.edu/'),
'https://go.gmu.edu/', style="background: rgb(#F6F6F6);"),
),
style="background: rgb(#F6F6F6);",
title="short_url",
css_class="second_group",
),
css_id='secondCollapse',
active=True, active=True,
template='crispy/accordian-group.html', template='crispy/accordian-group.html',),
),
# Step 3: Expiration
AccordionGroup('Step 3: URL Expiration', AccordionGroup('Step 3: URL Expiration',
Div( Div(
HTML(""" HTML("""
<h4>Set when you would like your Go address to expire:</h4> <h4>Set when you would like your Go address to expire:</h4>
<br /> <br />"""),
"""),
'expires', 'expires',
style="background: rgb(#F6F6F6);", style="background: rgb(#F6F6F6);"),
title="expires_url",
css_class="third_group",
),
css_id='thirdCollapse',
active=True, active=True,
template='crispy/accordian-group.html', template='crispy/accordian-group.html'),
),
css_id='accordian',
template='crispy/accordian.html'
),
HTML("""
<br />
"""),
StrictButton('Shorten', css_class="btn btn-primary btn-md col-md-4", type='submit'),
)
)
# FIN
template='crispy/accordian.html'),
#######################
HTML("""
<br />"""),
StrictButton('Shorten', css_class="btn btn-primary btn-md col-md-4", type='submit')))
class Meta: class Meta:
model = URL model = URL
...@@ -149,6 +145,14 @@ class SignupForm(forms.ModelForm): ...@@ -149,6 +145,14 @@ class SignupForm(forms.ModelForm):
except RegisteredUser.DoesNotExist: except RegisteredUser.DoesNotExist:
return return
def clean_username(self):
# Prevent hax: (non-staff) Users cannot signup for other users
data_username = self.cleaned_data.get("username")
if not self.request.user.is_staff:
if self.request.user.username not in data_username:
raise ValidationError('username', "This is not your NetID!")
username = forms.CharField( username = forms.CharField(
required=True, required=True,
label='Mason NetID (Required)', label='Mason NetID (Required)',
...@@ -184,17 +188,6 @@ class SignupForm(forms.ModelForm): ...@@ -184,17 +188,6 @@ class SignupForm(forms.ModelForm):
label = mark_safe('Do you accept the <a href="#" target="_blank">Terms of Service</a>?'), label = mark_safe('Do you accept the <a href="#" target="_blank">Terms of Service</a>?'),
) )
def clean_username(self):
# Prevent hax: (non-staff) Users cannot signup for other users
cleaned_data = super(SignupForm, self).clean()
data_username = cleaned_data.get("username")
if not self.request.user.is_staff:
if self.request.user.username not in data_username:
self.add_error('username', "This is not your NetID!")
return data_username
def __init__(self, request, *args, **kwargs): def __init__(self, request, *args, **kwargs):
# Necessary to call request in forms.py, is otherwise restricted to views.py and models.py # Necessary to call request in forms.py, is otherwise restricted to views.py and models.py
self.request = request self.request = request
...@@ -205,22 +198,20 @@ class SignupForm(forms.ModelForm): ...@@ -205,22 +198,20 @@ class SignupForm(forms.ModelForm):
self.helper.field_class = 'col-md-6' self.helper.field_class = 'col-md-6'
self.helper.layout = Layout( self.helper.layout = Layout(
Fieldset( Fieldset('',
'',
Div( Div(
# Place in form fields
Div( Div(
'username', 'username',
'full_name', 'full_name',
'organization', 'organization',
'description', 'description',
'tos_box', 'tos_box',
css_class='well', css_class='well'),
),
# Extras at bottom
StrictButton('Submit',css_class='btn btn-primary btn-md col-md-4', type='submit'), StrictButton('Submit',css_class='btn btn-primary btn-md col-md-4', type='submit'),
css_class='col-md-6', css_class='col-md-6')))
),
)
)
class Meta: class Meta:
model = RegisteredUser model = RegisteredUser
fields = '__all__' fields = '__all__'
...@@ -3,7 +3,7 @@ from django.conf import settings ...@@ -3,7 +3,7 @@ from django.conf import settings
from django.http import HttpResponseServerError # Http404 from django.http import HttpResponseServerError # Http404
from django.utils import timezone from django.utils import timezone
from django.core.exceptions import PermissionDenied # ValidationError from django.core.exceptions import PermissionDenied # ValidationError
from django.core.mail import send_mail, send_mass_mail, EmailMessage from django.core.mail import send_mail, EmailMessage
from django.contrib.auth import REDIRECT_FIELD_NAME from django.contrib.auth import REDIRECT_FIELD_NAME
from django.contrib.auth.decorators import user_passes_test, login_required from django.contrib.auth.decorators import user_passes_test, login_required
from django.shortcuts import render, get_object_or_404, redirect from django.shortcuts import render, get_object_or_404, redirect
...@@ -70,10 +70,10 @@ def index(request): ...@@ -70,10 +70,10 @@ def index(request):
if not is_approved(request.user): if not is_approved(request.user):
return render(request, 'not_registered.html') return render(request, 'not_registered.html')
url_form = URLForm() # unbound form url_form = URLForm(host=request.META.get('HTTP_HOST')) # unbound form
if request.method == 'POST': if request.method == 'POST':
url_form = URLForm(request.POST) # bind dat form url_form = URLForm(request.POST, host=request.META.get('HTTP_HOST')) # bind dat form
if url_form.is_valid(): if url_form.is_valid():
# We don't commit the url object yet because we need to add its # We don't commit the url object yet because we need to add its
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment