mirror of
https://github.com/bookwyrm-social/bookwyrm.git
synced 2024-11-22 17:41:08 +00:00
Add validation before using url
This commit is contained in:
parent
bfe04feca9
commit
78c214a6d4
3 changed files with 8 additions and 0 deletions
|
@ -12,6 +12,7 @@ from django.views.decorators.http import require_POST
|
|||
|
||||
from bookwyrm import forms, models
|
||||
from bookwyrm.views.shelf.shelf_actions import unshelve
|
||||
from bookwyrm.utils.validate import validate_url_domain
|
||||
from .status import CreateStatus
|
||||
from .helpers import get_edition, handle_reading_status, is_api_request
|
||||
from .helpers import load_date_in_user_tz_as_utc
|
||||
|
@ -43,6 +44,7 @@ class ReadingStatus(View):
|
|||
def post(self, request, status, book_id):
|
||||
"""Change the state of a book by shelving it and adding reading dates"""
|
||||
next_step = request.POST.get("next", "/")
|
||||
next_step = validate_url_domain(next_step, "/")
|
||||
identifier = {
|
||||
"want": models.Shelf.TO_READ,
|
||||
"start": models.Shelf.READING,
|
||||
|
|
|
@ -3,6 +3,7 @@ from django.db import IntegrityError, transaction
|
|||
from django.contrib.auth.decorators import login_required
|
||||
from django.shortcuts import get_object_or_404, redirect
|
||||
from django.views.decorators.http import require_POST
|
||||
from bookwyrm.utils.validate import validate_url_domain
|
||||
|
||||
from bookwyrm import forms, models
|
||||
|
||||
|
@ -36,6 +37,7 @@ def delete_shelf(request, shelf_id):
|
|||
def shelve(request):
|
||||
"""put a book on a user's shelf"""
|
||||
next_step = request.POST.get("next", "/")
|
||||
next_step = validate_url_domain(next_step, "/")
|
||||
book = get_object_or_404(models.Edition, id=request.POST.get("book"))
|
||||
desired_shelf = get_object_or_404(
|
||||
request.user.shelf_set, identifier=request.POST.get("shelf")
|
||||
|
@ -97,6 +99,7 @@ def shelve(request):
|
|||
def unshelve(request, book_id=False):
|
||||
"""remove a book from a user's shelf"""
|
||||
next_step = request.POST.get("next", "/")
|
||||
next_step = validate_url_domain(next_step, "/")
|
||||
identity = book_id if book_id else request.POST.get("book")
|
||||
book = get_object_or_404(models.Edition, id=identity)
|
||||
shelf_book = get_object_or_404(
|
||||
|
|
|
@ -18,6 +18,7 @@ from django.views.decorators.http import require_POST
|
|||
from markdown import markdown
|
||||
from bookwyrm import forms, models
|
||||
from bookwyrm.utils import regex, sanitizer
|
||||
from bookwyrm.utils.validate import validate_url_domain
|
||||
from .helpers import handle_remote_webfinger, is_api_request
|
||||
from .helpers import load_date_in_user_tz_as_utc
|
||||
|
||||
|
@ -59,6 +60,7 @@ class CreateStatus(View):
|
|||
def post(self, request, status_type, existing_status_id=None):
|
||||
"""create status of whatever type"""
|
||||
next_step = request.POST.get("next", "/")
|
||||
next_step = validate_url_domain(next_step, "/")
|
||||
created = not existing_status_id
|
||||
existing_status = None
|
||||
if existing_status_id:
|
||||
|
@ -169,6 +171,7 @@ def edit_readthrough(request):
|
|||
"""can't use the form because the dates are too finnicky"""
|
||||
# TODO: remove this, it duplicates the code in the ReadThrough view
|
||||
next_step = request.POST.get("next", "/")
|
||||
next_step = validate_url_domain(next_step, "/")
|
||||
readthrough = get_object_or_404(models.ReadThrough, id=request.POST.get("id"))
|
||||
|
||||
readthrough.start_date = load_date_in_user_tz_as_utc(
|
||||
|
|
Loading…
Reference in a new issue