From 9c33d0ebfa4928dd452ff975f942515c3fef89d0 Mon Sep 17 00:00:00 2001 From: Mouse Reeve Date: Sat, 28 Nov 2020 08:22:25 -0800 Subject: [PATCH] use require_GET decorator --- bookwyrm/view_actions.py | 53 ++++++++++++++++++++++++++++------------ bookwyrm/views.py | 38 +++++++++++++++++++--------- 2 files changed, 64 insertions(+), 27 deletions(-) diff --git a/bookwyrm/view_actions.py b/bookwyrm/view_actions.py index ad9a12cf7..f59b4e0e2 100644 --- a/bookwyrm/view_actions.py +++ b/bookwyrm/view_actions.py @@ -14,6 +14,7 @@ from django.http import HttpResponseBadRequest, HttpResponseNotFound from django.shortcuts import get_object_or_404, redirect from django.template.response import TemplateResponse from django.utils import timezone +from django.views.decorators.http import require_GET, require_POST from bookwyrm import books_manager from bookwyrm import forms, models, outgoing @@ -23,11 +24,9 @@ from bookwyrm.settings import DOMAIN from bookwyrm.views import get_user_from_username +@require_GET def user_login(request): ''' authenticate user login ''' - if request.method == 'GET': - return redirect('/login') - login_form = forms.LoginForm(request.POST) username = login_form.data['username'] @@ -50,11 +49,9 @@ def user_login(request): return TemplateResponse(request, 'login.html', data) +@require_GET def register(request): ''' join the server ''' - if request.method == 'GET': - return redirect('/login') - if not models.SiteSettings.get().allow_registration: invite_code = request.POST.get('invite_code') @@ -97,12 +94,14 @@ def register(request): @login_required +@require_GET def user_logout(request): ''' done with this place! outa here! ''' logout(request) return redirect('/') +@require_POST def password_reset_request(request): ''' create a password reset token ''' email = request.POST.get('email') @@ -121,6 +120,7 @@ def password_reset_request(request): return TemplateResponse(request, 'password_reset_request.html', data) +@require_POST def password_reset(request): ''' allow a user to change their password through an emailed token ''' try: @@ -148,6 +148,7 @@ def password_reset(request): @login_required +@require_POST def password_change(request): ''' allow a user to change their password ''' new_password = request.POST.get('password') @@ -163,11 +164,9 @@ def password_change(request): @login_required +@require_POST def edit_profile(request): ''' les get fancy with images ''' - if not request.method == 'POST': - return redirect('/user/%s' % request.user.localname) - form = forms.EditUserForm(request.POST, request.FILES) if not form.is_valid(): data = { @@ -226,11 +225,9 @@ def resolve_book(request): @login_required @permission_required('bookwyrm.edit_book', raise_exception=True) +@require_POST def edit_book(request, book_id): ''' edit a book cool ''' - if not request.method == 'POST': - return redirect('/book/%s' % book_id) - book = get_object_or_404(models.Edition, id=book_id) form = forms.EditionForm(request.POST, request.FILES, instance=book) @@ -248,11 +245,9 @@ def edit_book(request, book_id): @login_required +@require_POST def upload_cover(request, book_id): ''' upload a new cover ''' - if not request.method == 'POST': - return redirect('/book/%s' % request.user.localname) - book = get_object_or_404(models.Edition, id=book_id) form = forms.CoverForm(request.POST, request.FILES, instance=book) @@ -268,6 +263,7 @@ def upload_cover(request, book_id): @login_required +@require_POST def create_shelf(request): ''' user generated shelves ''' form = forms.ShelfForm(request.POST) @@ -280,6 +276,7 @@ def create_shelf(request): @login_required +@require_POST def edit_shelf(request, shelf_id): ''' user generated shelves ''' shelf = get_object_or_404(models.Shelf, id=shelf_id) @@ -295,6 +292,7 @@ def edit_shelf(request, shelf_id): @login_required +@require_POST def delete_shelf(request, shelf_id): ''' user generated shelves ''' shelf = get_object_or_404(models.Shelf, id=shelf_id) @@ -306,6 +304,7 @@ def delete_shelf(request, shelf_id): @login_required +@require_POST def shelve(request): ''' put a on a user's shelf ''' book = books_manager.get_edition(request.POST['book']) @@ -340,6 +339,7 @@ def shelve(request): @login_required +@require_POST def unshelve(request): ''' put a on a user's shelf ''' book = models.Edition.objects.get(id=request.POST['book']) @@ -350,6 +350,7 @@ def unshelve(request): @login_required +@require_POST def start_reading(request, book_id): ''' begin reading a book ''' book = books_manager.get_edition(book_id) @@ -385,6 +386,7 @@ def start_reading(request, book_id): @login_required +@require_POST def finish_reading(request, book_id): ''' a user completed a book, yay ''' book = books_manager.get_edition(book_id) @@ -420,6 +422,7 @@ def finish_reading(request, book_id): @login_required +@require_POST def edit_readthrough(request): ''' can't use the form because the dates are too finnicky ''' readthrough = update_readthrough(request, create=False) @@ -435,6 +438,7 @@ def edit_readthrough(request): @login_required +@require_POST def delete_readthrough(request): ''' remove a readthrough ''' readthrough = get_object_or_404( @@ -449,6 +453,7 @@ def delete_readthrough(request): @login_required +@require_POST def rate(request): ''' just a star rating for a book ''' form = forms.RatingForm(request.POST) @@ -456,6 +461,7 @@ def rate(request): @login_required +@require_POST def review(request): ''' create a book review ''' form = forms.ReviewForm(request.POST) @@ -463,6 +469,7 @@ def review(request): @login_required +@require_POST def quotate(request): ''' create a book quotation ''' form = forms.QuotationForm(request.POST) @@ -470,6 +477,7 @@ def quotate(request): @login_required +@require_POST def comment(request): ''' create a book comment ''' form = forms.CommentForm(request.POST) @@ -477,6 +485,7 @@ def comment(request): @login_required +@require_POST def reply(request): ''' respond to a book review ''' form = forms.ReplyForm(request.POST) @@ -493,6 +502,7 @@ def handle_status(request, form): @login_required +@require_POST def tag(request): ''' tag a book ''' # I'm not using a form here because sometimes "name" is sent as a hidden @@ -512,6 +522,7 @@ def tag(request): @login_required +@require_POST def untag(request): ''' untag a book ''' name = request.POST.get('name') @@ -522,6 +533,7 @@ def untag(request): @login_required +@require_POST def favorite(request, status_id): ''' like a status ''' status = models.Status.objects.get(id=status_id) @@ -530,6 +542,7 @@ def favorite(request, status_id): @login_required +@require_POST def unfavorite(request, status_id): ''' like a status ''' status = models.Status.objects.get(id=status_id) @@ -538,6 +551,7 @@ def unfavorite(request, status_id): @login_required +@require_POST def boost(request, status_id): ''' boost a status ''' status = models.Status.objects.get(id=status_id) @@ -546,6 +560,7 @@ def boost(request, status_id): @login_required +@require_POST def unboost(request, status_id): ''' boost a status ''' status = models.Status.objects.get(id=status_id) @@ -554,6 +569,7 @@ def unboost(request, status_id): @login_required +@require_POST def delete_status(request, status_id): ''' delete and tombstone a status ''' status = get_object_or_404(models.Status, id=status_id) @@ -568,6 +584,7 @@ def delete_status(request, status_id): @login_required +@require_POST def follow(request): ''' follow another user, here or abroad ''' username = request.POST['user'] @@ -583,6 +600,7 @@ def follow(request): @login_required +@require_POST def unfollow(request): ''' unfollow a user ''' username = request.POST['user'] @@ -605,6 +623,7 @@ def clear_notifications(request): @login_required +@require_POST def accept_follow_request(request): ''' a user accepts a follow request ''' username = request.POST['user'] @@ -628,6 +647,7 @@ def accept_follow_request(request): @login_required +@require_POST def delete_follow_request(request): ''' a user rejects a follow request ''' username = request.POST['user'] @@ -649,6 +669,7 @@ def delete_follow_request(request): @login_required +@require_POST def import_data(request): ''' ingest a goodreads csv ''' form = forms.ImportForm(request.POST, request.FILES) @@ -672,6 +693,7 @@ def import_data(request): @login_required +@require_POST def retry_import(request): ''' ingest a goodreads csv ''' job = get_object_or_404(models.ImportJob, id=request.POST.get('import_job')) @@ -689,6 +711,7 @@ def retry_import(request): @login_required +@require_POST @permission_required('bookwyrm.create_invites', raise_exception=True) def create_invite(request): ''' creates a user invite database entry ''' diff --git a/bookwyrm/views.py b/bookwyrm/views.py index 38e882cd5..e0feaee75 100644 --- a/bookwyrm/views.py +++ b/bookwyrm/views.py @@ -11,6 +11,7 @@ from django.core.exceptions import PermissionDenied from django.shortcuts import get_object_or_404, redirect from django.template.response import TemplateResponse from django.views.decorators.csrf import csrf_exempt +from django.views.decorators.http import require_GET from bookwyrm import outgoing from bookwyrm.activitypub import ActivityEncoder @@ -47,12 +48,14 @@ def not_found_page(request, _): @login_required +@require_GET def home(request): ''' this is the same as the feed on the home tab ''' return home_tab(request, 'home') @login_required +@require_GET def home_tab(request, tab): ''' user's homepage with activity feed ''' try: @@ -160,6 +163,7 @@ def get_activity_feed(user, filter_level, model=models.Status): return activities +@require_GET def search(request): ''' that search bar up top ''' query = request.GET.get('q') @@ -191,6 +195,7 @@ def search(request): @login_required +@require_GET def import_page(request): ''' import history from goodreads ''' return TemplateResponse(request, 'import.html', { @@ -203,6 +208,7 @@ def import_page(request): @login_required +@require_GET def import_status(request, job_id): ''' status of an import job ''' job = models.ImportJob.objects.get(id=job_id) @@ -221,6 +227,7 @@ def import_status(request, job_id): }) +@require_GET def login_page(request): ''' authentication ''' if request.user.is_authenticated: @@ -235,6 +242,7 @@ def login_page(request): return TemplateResponse(request, 'login.html', data) +@require_GET def about_page(request): ''' more information about the instance ''' data = { @@ -244,6 +252,7 @@ def about_page(request): return TemplateResponse(request, 'about.html', data) +@require_GET def password_reset_request(request): ''' invite management page ''' return TemplateResponse( @@ -253,6 +262,7 @@ def password_reset_request(request): ) +@require_GET def password_reset(request, code): ''' endpoint for sending invites ''' if request.user.is_authenticated: @@ -271,6 +281,7 @@ def password_reset(request, code): ) +@require_GET def invite_page(request, code): ''' endpoint for sending invites ''' if request.user.is_authenticated: @@ -293,6 +304,7 @@ def invite_page(request, code): @login_required @permission_required('bookwyrm.create_invites', raise_exception=True) +@require_GET def manage_invites(request): ''' invite management page ''' data = { @@ -304,6 +316,7 @@ def manage_invites(request): @login_required +@require_GET def notifications_page(request): ''' list notitications ''' notifications = request.user.notification_set.all() \ @@ -319,6 +332,7 @@ def notifications_page(request): @csrf_exempt +@require_GET def user_page(request, username): ''' profile page for a user ''' try: @@ -387,11 +401,9 @@ def user_page(request, username): @csrf_exempt +@require_GET def followers_page(request, username): ''' list of followers ''' - if request.method != 'GET': - return HttpResponseBadRequest() - try: user = get_user_from_username(username) except models.User.DoesNotExist: @@ -410,11 +422,9 @@ def followers_page(request, username): @csrf_exempt +@require_GET def following_page(request, username): ''' list of followers ''' - if request.method != 'GET': - return HttpResponseBadRequest() - try: user = get_user_from_username(username) except models.User.DoesNotExist: @@ -433,11 +443,9 @@ def following_page(request, username): @csrf_exempt +@require_GET def status_page(request, username, status_id): ''' display a particular status (and replies, etc) ''' - if request.method != 'GET': - return HttpResponseBadRequest() - try: user = get_user_from_username(username) status = models.Status.objects.select_subclasses().get(id=status_id) @@ -476,11 +484,9 @@ def status_visible_to_user(viewer, status): @csrf_exempt +@require_GET def replies_page(request, username, status_id): ''' ordered collection of replies to a status ''' - if request.method != 'GET': - return HttpResponseBadRequest() - if not is_api_request(request): return status_page(request, username, status_id) @@ -495,6 +501,7 @@ def replies_page(request, username, status_id): @login_required +@require_GET def edit_profile_page(request): ''' profile page for a user ''' user = request.user @@ -508,6 +515,7 @@ def edit_profile_page(request): return TemplateResponse(request, 'edit_user.html', data) +@require_GET def book_page(request, book_id): ''' info about a book ''' try: @@ -595,6 +603,7 @@ def book_page(request, book_id): @login_required @permission_required('bookwyrm.edit_book', raise_exception=True) +@require_GET def edit_book_page(request, book_id): ''' info about a book ''' book = books_manager.get_edition(book_id) @@ -608,6 +617,7 @@ def edit_book_page(request, book_id): return TemplateResponse(request, 'edit_book.html', data) +@require_GET def editions_page(request, book_id): ''' list of editions of a book ''' work = get_object_or_404(models.Work, id=book_id) @@ -627,6 +637,7 @@ def editions_page(request, book_id): return TemplateResponse(request, 'editions.html', data) +@require_GET def author_page(request, author_id): ''' landing page for an author ''' author = get_object_or_404(models.Author, id=author_id) @@ -643,6 +654,7 @@ def author_page(request, author_id): return TemplateResponse(request, 'author.html', data) +@require_GET def tag_page(request, tag_id): ''' books related to a tag ''' tag_obj = models.Tag.objects.filter(identifier=tag_id).first() @@ -663,11 +675,13 @@ def tag_page(request, tag_id): @csrf_exempt +@require_GET def user_shelves_page(request, username): ''' list of followers ''' return shelf_page(request, username, None) +@require_GET def shelf_page(request, username, shelf_identifier): ''' display a shelf ''' try: