mirror of
https://github.com/bookwyrm-social/bookwyrm.git
synced 2024-11-26 11:31:08 +00:00
Add validation before using url
This commit is contained in:
parent
bfe04feca9
commit
78c214a6d4
3 changed files with 8 additions and 0 deletions
|
@ -12,6 +12,7 @@ from django.views.decorators.http import require_POST
|
||||||
|
|
||||||
from bookwyrm import forms, models
|
from bookwyrm import forms, models
|
||||||
from bookwyrm.views.shelf.shelf_actions import unshelve
|
from bookwyrm.views.shelf.shelf_actions import unshelve
|
||||||
|
from bookwyrm.utils.validate import validate_url_domain
|
||||||
from .status import CreateStatus
|
from .status import CreateStatus
|
||||||
from .helpers import get_edition, handle_reading_status, is_api_request
|
from .helpers import get_edition, handle_reading_status, is_api_request
|
||||||
from .helpers import load_date_in_user_tz_as_utc
|
from .helpers import load_date_in_user_tz_as_utc
|
||||||
|
@ -43,6 +44,7 @@ class ReadingStatus(View):
|
||||||
def post(self, request, status, book_id):
|
def post(self, request, status, book_id):
|
||||||
"""Change the state of a book by shelving it and adding reading dates"""
|
"""Change the state of a book by shelving it and adding reading dates"""
|
||||||
next_step = request.POST.get("next", "/")
|
next_step = request.POST.get("next", "/")
|
||||||
|
next_step = validate_url_domain(next_step, "/")
|
||||||
identifier = {
|
identifier = {
|
||||||
"want": models.Shelf.TO_READ,
|
"want": models.Shelf.TO_READ,
|
||||||
"start": models.Shelf.READING,
|
"start": models.Shelf.READING,
|
||||||
|
|
|
@ -3,6 +3,7 @@ from django.db import IntegrityError, transaction
|
||||||
from django.contrib.auth.decorators import login_required
|
from django.contrib.auth.decorators import login_required
|
||||||
from django.shortcuts import get_object_or_404, redirect
|
from django.shortcuts import get_object_or_404, redirect
|
||||||
from django.views.decorators.http import require_POST
|
from django.views.decorators.http import require_POST
|
||||||
|
from bookwyrm.utils.validate import validate_url_domain
|
||||||
|
|
||||||
from bookwyrm import forms, models
|
from bookwyrm import forms, models
|
||||||
|
|
||||||
|
@ -36,6 +37,7 @@ def delete_shelf(request, shelf_id):
|
||||||
def shelve(request):
|
def shelve(request):
|
||||||
"""put a book on a user's shelf"""
|
"""put a book on a user's shelf"""
|
||||||
next_step = request.POST.get("next", "/")
|
next_step = request.POST.get("next", "/")
|
||||||
|
next_step = validate_url_domain(next_step, "/")
|
||||||
book = get_object_or_404(models.Edition, id=request.POST.get("book"))
|
book = get_object_or_404(models.Edition, id=request.POST.get("book"))
|
||||||
desired_shelf = get_object_or_404(
|
desired_shelf = get_object_or_404(
|
||||||
request.user.shelf_set, identifier=request.POST.get("shelf")
|
request.user.shelf_set, identifier=request.POST.get("shelf")
|
||||||
|
@ -97,6 +99,7 @@ def shelve(request):
|
||||||
def unshelve(request, book_id=False):
|
def unshelve(request, book_id=False):
|
||||||
"""remove a book from a user's shelf"""
|
"""remove a book from a user's shelf"""
|
||||||
next_step = request.POST.get("next", "/")
|
next_step = request.POST.get("next", "/")
|
||||||
|
next_step = validate_url_domain(next_step, "/")
|
||||||
identity = book_id if book_id else request.POST.get("book")
|
identity = book_id if book_id else request.POST.get("book")
|
||||||
book = get_object_or_404(models.Edition, id=identity)
|
book = get_object_or_404(models.Edition, id=identity)
|
||||||
shelf_book = get_object_or_404(
|
shelf_book = get_object_or_404(
|
||||||
|
|
|
@ -18,6 +18,7 @@ from django.views.decorators.http import require_POST
|
||||||
from markdown import markdown
|
from markdown import markdown
|
||||||
from bookwyrm import forms, models
|
from bookwyrm import forms, models
|
||||||
from bookwyrm.utils import regex, sanitizer
|
from bookwyrm.utils import regex, sanitizer
|
||||||
|
from bookwyrm.utils.validate import validate_url_domain
|
||||||
from .helpers import handle_remote_webfinger, is_api_request
|
from .helpers import handle_remote_webfinger, is_api_request
|
||||||
from .helpers import load_date_in_user_tz_as_utc
|
from .helpers import load_date_in_user_tz_as_utc
|
||||||
|
|
||||||
|
@ -59,6 +60,7 @@ class CreateStatus(View):
|
||||||
def post(self, request, status_type, existing_status_id=None):
|
def post(self, request, status_type, existing_status_id=None):
|
||||||
"""create status of whatever type"""
|
"""create status of whatever type"""
|
||||||
next_step = request.POST.get("next", "/")
|
next_step = request.POST.get("next", "/")
|
||||||
|
next_step = validate_url_domain(next_step, "/")
|
||||||
created = not existing_status_id
|
created = not existing_status_id
|
||||||
existing_status = None
|
existing_status = None
|
||||||
if existing_status_id:
|
if existing_status_id:
|
||||||
|
@ -169,6 +171,7 @@ def edit_readthrough(request):
|
||||||
"""can't use the form because the dates are too finnicky"""
|
"""can't use the form because the dates are too finnicky"""
|
||||||
# TODO: remove this, it duplicates the code in the ReadThrough view
|
# TODO: remove this, it duplicates the code in the ReadThrough view
|
||||||
next_step = request.POST.get("next", "/")
|
next_step = request.POST.get("next", "/")
|
||||||
|
next_step = validate_url_domain(next_step, "/")
|
||||||
readthrough = get_object_or_404(models.ReadThrough, id=request.POST.get("id"))
|
readthrough = get_object_or_404(models.ReadThrough, id=request.POST.get("id"))
|
||||||
|
|
||||||
readthrough.start_date = load_date_in_user_tz_as_utc(
|
readthrough.start_date = load_date_in_user_tz_as_utc(
|
||||||
|
|
Loading…
Reference in a new issue