Merge pull request #2222 from bookwyrm-social/redirects

Removes insecure redirects
This commit is contained in:
Mouse Reeve 2022-07-14 11:46:47 -07:00 committed by GitHub
commit 95a72ae902
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 19 additions and 21 deletions

View file

@ -70,7 +70,7 @@ class Goal(View):
privacy=goal.privacy, privacy=goal.privacy,
) )
return redirect(request.headers.get("Referer", "/")) return redirect("user-goal", request.user.localname, year)
@require_POST @require_POST
@ -79,4 +79,4 @@ def hide_goal(request):
"""don't keep bugging people to set a goal""" """don't keep bugging people to set a goal"""
request.user.show_goal = False request.user.show_goal = False
request.user.save(broadcast=False, update_fields=["show_goal"]) request.user.save(broadcast=False, update_fields=["show_goal"])
return redirect(request.headers.get("Referer", "/")) return redirect("/")

View file

@ -28,7 +28,7 @@ class Favorite(View):
if is_api_request(request): if is_api_request(request):
return HttpResponse() return HttpResponse()
return redirect(request.headers.get("Referer", "/")) return redirect("/")
@method_decorator(login_required, name="dispatch") @method_decorator(login_required, name="dispatch")
@ -48,7 +48,7 @@ class Unfavorite(View):
favorite.delete() favorite.delete()
if is_api_request(request): if is_api_request(request):
return HttpResponse() return HttpResponse()
return redirect(request.headers.get("Referer", "/")) return redirect("/")
@method_decorator(login_required, name="dispatch") @method_decorator(login_required, name="dispatch")
@ -67,7 +67,7 @@ class Boost(View):
boosted_status=status, user=request.user boosted_status=status, user=request.user
).exists(): ).exists():
# you already boosted that. # you already boosted that.
return redirect(request.headers.get("Referer", "/")) return redirect("/")
models.Boost.objects.create( models.Boost.objects.create(
boosted_status=status, boosted_status=status,
@ -76,7 +76,7 @@ class Boost(View):
) )
if is_api_request(request): if is_api_request(request):
return HttpResponse() return HttpResponse()
return redirect(request.headers.get("Referer", "/")) return redirect("/")
@method_decorator(login_required, name="dispatch") @method_decorator(login_required, name="dispatch")
@ -94,4 +94,4 @@ class Unboost(View):
boost.delete() boost.delete()
if is_api_request(request): if is_api_request(request):
return HttpResponse() return HttpResponse()
return redirect(request.headers.get("Referer", "/")) return redirect("/")

View file

@ -79,13 +79,11 @@ class ReadingStatus(View):
current_status_shelfbook = shelves[0] if shelves else None current_status_shelfbook = shelves[0] if shelves else None
# checking the referer prevents redirecting back to the modal page # checking the referer prevents redirecting back to the modal page
referer = request.headers.get("Referer", "/")
referer = "/" if "reading-status" in referer else referer
if current_status_shelfbook is not None: if current_status_shelfbook is not None:
if current_status_shelfbook.shelf.identifier != desired_shelf.identifier: if current_status_shelfbook.shelf.identifier != desired_shelf.identifier:
current_status_shelfbook.delete() current_status_shelfbook.delete()
else: # It already was on the shelf else: # It already was on the shelf
return redirect(referer) return redirect("/")
models.ShelfBook.objects.create( models.ShelfBook.objects.create(
book=book, shelf=desired_shelf, user=request.user book=book, shelf=desired_shelf, user=request.user
@ -123,7 +121,7 @@ class ReadingStatus(View):
if is_api_request(request): if is_api_request(request):
return HttpResponse() return HttpResponse()
return redirect(referer) return redirect("/")
@method_decorator(login_required, name="dispatch") @method_decorator(login_required, name="dispatch")
@ -205,7 +203,7 @@ def delete_readthrough(request):
readthrough.raise_not_deletable(request.user) readthrough.raise_not_deletable(request.user)
readthrough.delete() readthrough.delete()
return redirect(request.headers.get("Referer", "/")) return redirect("/")
@login_required @login_required
@ -216,4 +214,4 @@ def delete_progressupdate(request):
update.raise_not_deletable(request.user) update.raise_not_deletable(request.user)
update.delete() update.delete()
return redirect(request.headers.get("Referer", "/")) return redirect("/")

View file

@ -13,7 +13,7 @@ def create_shelf(request):
"""user generated shelves""" """user generated shelves"""
form = forms.ShelfForm(request.POST) form = forms.ShelfForm(request.POST)
if not form.is_valid(): if not form.is_valid():
return redirect(request.headers.get("Referer", "/")) return redirect("user-shelves", request.user.localname)
shelf = form.save() shelf = form.save()
return redirect(shelf.local_path) return redirect(shelf.local_path)
@ -70,7 +70,7 @@ def shelve(request):
): ):
current_read_status_shelfbook.delete() current_read_status_shelfbook.delete()
else: # It is already on the shelf else: # It is already on the shelf
return redirect(request.headers.get("Referer", "/")) return redirect("/")
# create the new shelf-book entry # create the new shelf-book entry
models.ShelfBook.objects.create( models.ShelfBook.objects.create(
@ -86,7 +86,7 @@ def shelve(request):
# Might be good to alert, or reject the action? # Might be good to alert, or reject the action?
except IntegrityError: except IntegrityError:
pass pass
return redirect(request.headers.get("Referer", "/")) return redirect("/")
@login_required @login_required
@ -100,4 +100,4 @@ def unshelve(request, book_id=False):
) )
shelf_book.raise_not_deletable(request.user) shelf_book.raise_not_deletable(request.user)
shelf_book.delete() shelf_book.delete()
return redirect(request.headers.get("Referer", "/")) return redirect("/")

View file

@ -82,7 +82,7 @@ class CreateStatus(View):
if is_api_request(request): if is_api_request(request):
logger.exception(form.errors) logger.exception(form.errors)
return HttpResponseBadRequest() return HttpResponseBadRequest()
return redirect(request.headers.get("Referer", "/")) return redirect("/")
status = form.save(commit=False) status = form.save(commit=False)
# save the plain, unformatted version of the status for future editing # save the plain, unformatted version of the status for future editing
@ -146,7 +146,7 @@ class DeleteStatus(View):
# perform deletion # perform deletion
status.delete() status.delete()
return redirect(request.headers.get("Referer", "/")) return redirect("/")
@login_required @login_required
@ -195,7 +195,7 @@ def edit_readthrough(request):
if is_api_request(request): if is_api_request(request):
return HttpResponse() return HttpResponse()
return redirect(request.headers.get("Referer", "/")) return redirect("/")
def find_mentions(content): def find_mentions(content):

View file

@ -164,7 +164,7 @@ def hide_suggestions(request):
"""not everyone wants user suggestions""" """not everyone wants user suggestions"""
request.user.show_suggested_users = False request.user.show_suggested_users = False
request.user.save(broadcast=False, update_fields=["show_suggested_users"]) request.user.save(broadcast=False, update_fields=["show_suggested_users"])
return redirect(request.headers.get("Referer", "/")) return redirect("/")
# pylint: disable=unused-argument # pylint: disable=unused-argument