mirrors/bookwyrm
1
0
Fork 1
mirror of https://github.com/bookwyrm-social/bookwyrm.git synced 2024-05-21 01:38:07 +00:00
Code Issues Projects Releases Wiki Activity

Remmoves insecure redirects

Browse source 
This should really fundamentally work differently, but this is a quick
for for now to avoid an insecure redirect. There will be a negative
impact on user experience from this, and a followup change should look
into these views and improve their flow.
This commit is contained in:
Mouse Reeve 2022-07-14 11:13:11 -07:00
parent e3dbe5a142
commit 661865de87
6 changed files with 19 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
bookwyrm/views/goal.py
View file

@ -70,7 +70,7 @@ class Goal(View):
privacy=goal.privacy,
)
return redirect(request.headers.get("Referer", "/"))
return redirect("user-goal", request.user.localname, year)
@require_POST
@ -79,4 +79,4 @@ def hide_goal(request):
"""don't keep bugging people to set a goal"""
request.user.show_goal = False
request.user.save(broadcast=False, update_fields=["show_goal"])
return redirect(request.headers.get("Referer", "/"))
return redirect("/")

10
bookwyrm/views/interaction.py
View file

@ -28,7 +28,7 @@ class Favorite(View):
if is_api_request(request):
return HttpResponse()
return redirect(request.headers.get("Referer", "/"))
return redirect("/")
@method_decorator(login_required, name="dispatch")
@ -48,7 +48,7 @@ class Unfavorite(View):
favorite.delete()
if is_api_request(request):
return HttpResponse()
return redirect(request.headers.get("Referer", "/"))
return redirect("/")
@method_decorator(login_required, name="dispatch")
@ -67,7 +67,7 @@ class Boost(View):
boosted_status=status, user=request.user
).exists():
# you already boosted that.
return redirect(request.headers.get("Referer", "/"))
return redirect("/")
models.Boost.objects.create(
boosted_status=status,
@ -76,7 +76,7 @@ class Boost(View):
)
if is_api_request(request):
return HttpResponse()
return redirect(request.headers.get("Referer", "/"))
return redirect("/")
@method_decorator(login_required, name="dispatch")
@ -94,4 +94,4 @@ class Unboost(View):
boost.delete()
if is_api_request(request):
return HttpResponse()
return redirect(request.headers.get("Referer", "/"))
return redirect("/")

10
bookwyrm/views/reading.py
View file

@ -79,13 +79,11 @@ class ReadingStatus(View):
current_status_shelfbook = shelves[0] if shelves else None
# checking the referer prevents redirecting back to the modal page
referer = request.headers.get("Referer", "/")
referer = "/" if "reading-status" in referer else referer
if current_status_shelfbook is not None:
if current_status_shelfbook.shelf.identifier != desired_shelf.identifier:
current_status_shelfbook.delete()
else: # It already was on the shelf
return redirect(referer)
return redirect("/")
models.ShelfBook.objects.create(
book=book, shelf=desired_shelf, user=request.user
@ -123,7 +121,7 @@ class ReadingStatus(View):
if is_api_request(request):
return HttpResponse()
return redirect(referer)
return redirect("/")
@method_decorator(login_required, name="dispatch")
@ -205,7 +203,7 @@ def delete_readthrough(request):
readthrough.raise_not_deletable(request.user)
readthrough.delete()
return redirect(request.headers.get("Referer", "/"))
return redirect("/")
@login_required
@ -216,4 +214,4 @@ def delete_progressupdate(request):
update.raise_not_deletable(request.user)
update.delete()
return redirect(request.headers.get("Referer", "/"))
return redirect("/")

8
bookwyrm/views/shelf/shelf_actions.py
View file

@ -13,7 +13,7 @@ def create_shelf(request):
"""user generated shelves"""
form = forms.ShelfForm(request.POST)
if not form.is_valid():
return redirect(request.headers.get("Referer", "/"))
return redirect("user-shelves", request.user.localname)
shelf = form.save()
return redirect(shelf.local_path)
@ -70,7 +70,7 @@ def shelve(request):
):
current_read_status_shelfbook.delete()
else: # It is already on the shelf
return redirect(request.headers.get("Referer", "/"))
return redirect("/")
# create the new shelf-book entry
models.ShelfBook.objects.create(
@ -86,7 +86,7 @@ def shelve(request):
# Might be good to alert, or reject the action?
except IntegrityError:
pass
return redirect(request.headers.get("Referer", "/"))
return redirect("/")
@login_required
@ -100,4 +100,4 @@ def unshelve(request, book_id=False):
)
shelf_book.raise_not_deletable(request.user)
shelf_book.delete()
return redirect(request.headers.get("Referer", "/"))
return redirect("/")

6
bookwyrm/views/status.py
View file

@ -82,7 +82,7 @@ class CreateStatus(View):
if is_api_request(request):
logger.exception(form.errors)
return HttpResponseBadRequest()
return redirect(request.headers.get("Referer", "/"))
return redirect("/")
status = form.save(commit=False)
# save the plain, unformatted version of the status for future editing
@ -146,7 +146,7 @@ class DeleteStatus(View):
# perform deletion
status.delete()
return redirect(request.headers.get("Referer", "/"))
return redirect("/")
@login_required
@ -195,7 +195,7 @@ def edit_readthrough(request):
if is_api_request(request):
return HttpResponse()
return redirect(request.headers.get("Referer", "/"))
return redirect("/")
def find_mentions(content):

2
bookwyrm/views/user.py
View file

@ -164,7 +164,7 @@ def hide_suggestions(request):
"""not everyone wants user suggestions"""
request.user.show_suggested_users = False
request.user.save(broadcast=False, update_fields=["show_suggested_users"])
return redirect(request.headers.get("Referer", "/"))
return redirect("/")
# pylint: disable=unused-argument