mirror of
https://github.com/bookwyrm-social/bookwyrm.git
synced 2025-01-10 01:05:29 +00:00
Merge pull request #2222 from bookwyrm-social/redirects
Removes insecure redirects
This commit is contained in:
commit
95a72ae902
6 changed files with 19 additions and 21 deletions
|
@ -70,7 +70,7 @@ class Goal(View):
|
||||||
privacy=goal.privacy,
|
privacy=goal.privacy,
|
||||||
)
|
)
|
||||||
|
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("user-goal", request.user.localname, year)
|
||||||
|
|
||||||
|
|
||||||
@require_POST
|
@require_POST
|
||||||
|
@ -79,4 +79,4 @@ def hide_goal(request):
|
||||||
"""don't keep bugging people to set a goal"""
|
"""don't keep bugging people to set a goal"""
|
||||||
request.user.show_goal = False
|
request.user.show_goal = False
|
||||||
request.user.save(broadcast=False, update_fields=["show_goal"])
|
request.user.save(broadcast=False, update_fields=["show_goal"])
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("/")
|
||||||
|
|
|
@ -28,7 +28,7 @@ class Favorite(View):
|
||||||
|
|
||||||
if is_api_request(request):
|
if is_api_request(request):
|
||||||
return HttpResponse()
|
return HttpResponse()
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("/")
|
||||||
|
|
||||||
|
|
||||||
@method_decorator(login_required, name="dispatch")
|
@method_decorator(login_required, name="dispatch")
|
||||||
|
@ -48,7 +48,7 @@ class Unfavorite(View):
|
||||||
favorite.delete()
|
favorite.delete()
|
||||||
if is_api_request(request):
|
if is_api_request(request):
|
||||||
return HttpResponse()
|
return HttpResponse()
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("/")
|
||||||
|
|
||||||
|
|
||||||
@method_decorator(login_required, name="dispatch")
|
@method_decorator(login_required, name="dispatch")
|
||||||
|
@ -67,7 +67,7 @@ class Boost(View):
|
||||||
boosted_status=status, user=request.user
|
boosted_status=status, user=request.user
|
||||||
).exists():
|
).exists():
|
||||||
# you already boosted that.
|
# you already boosted that.
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("/")
|
||||||
|
|
||||||
models.Boost.objects.create(
|
models.Boost.objects.create(
|
||||||
boosted_status=status,
|
boosted_status=status,
|
||||||
|
@ -76,7 +76,7 @@ class Boost(View):
|
||||||
)
|
)
|
||||||
if is_api_request(request):
|
if is_api_request(request):
|
||||||
return HttpResponse()
|
return HttpResponse()
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("/")
|
||||||
|
|
||||||
|
|
||||||
@method_decorator(login_required, name="dispatch")
|
@method_decorator(login_required, name="dispatch")
|
||||||
|
@ -94,4 +94,4 @@ class Unboost(View):
|
||||||
boost.delete()
|
boost.delete()
|
||||||
if is_api_request(request):
|
if is_api_request(request):
|
||||||
return HttpResponse()
|
return HttpResponse()
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("/")
|
||||||
|
|
|
@ -79,13 +79,11 @@ class ReadingStatus(View):
|
||||||
current_status_shelfbook = shelves[0] if shelves else None
|
current_status_shelfbook = shelves[0] if shelves else None
|
||||||
|
|
||||||
# checking the referer prevents redirecting back to the modal page
|
# checking the referer prevents redirecting back to the modal page
|
||||||
referer = request.headers.get("Referer", "/")
|
|
||||||
referer = "/" if "reading-status" in referer else referer
|
|
||||||
if current_status_shelfbook is not None:
|
if current_status_shelfbook is not None:
|
||||||
if current_status_shelfbook.shelf.identifier != desired_shelf.identifier:
|
if current_status_shelfbook.shelf.identifier != desired_shelf.identifier:
|
||||||
current_status_shelfbook.delete()
|
current_status_shelfbook.delete()
|
||||||
else: # It already was on the shelf
|
else: # It already was on the shelf
|
||||||
return redirect(referer)
|
return redirect("/")
|
||||||
|
|
||||||
models.ShelfBook.objects.create(
|
models.ShelfBook.objects.create(
|
||||||
book=book, shelf=desired_shelf, user=request.user
|
book=book, shelf=desired_shelf, user=request.user
|
||||||
|
@ -123,7 +121,7 @@ class ReadingStatus(View):
|
||||||
if is_api_request(request):
|
if is_api_request(request):
|
||||||
return HttpResponse()
|
return HttpResponse()
|
||||||
|
|
||||||
return redirect(referer)
|
return redirect("/")
|
||||||
|
|
||||||
|
|
||||||
@method_decorator(login_required, name="dispatch")
|
@method_decorator(login_required, name="dispatch")
|
||||||
|
@ -205,7 +203,7 @@ def delete_readthrough(request):
|
||||||
readthrough.raise_not_deletable(request.user)
|
readthrough.raise_not_deletable(request.user)
|
||||||
|
|
||||||
readthrough.delete()
|
readthrough.delete()
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("/")
|
||||||
|
|
||||||
|
|
||||||
@login_required
|
@login_required
|
||||||
|
@ -216,4 +214,4 @@ def delete_progressupdate(request):
|
||||||
update.raise_not_deletable(request.user)
|
update.raise_not_deletable(request.user)
|
||||||
|
|
||||||
update.delete()
|
update.delete()
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("/")
|
||||||
|
|
|
@ -13,7 +13,7 @@ def create_shelf(request):
|
||||||
"""user generated shelves"""
|
"""user generated shelves"""
|
||||||
form = forms.ShelfForm(request.POST)
|
form = forms.ShelfForm(request.POST)
|
||||||
if not form.is_valid():
|
if not form.is_valid():
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("user-shelves", request.user.localname)
|
||||||
|
|
||||||
shelf = form.save()
|
shelf = form.save()
|
||||||
return redirect(shelf.local_path)
|
return redirect(shelf.local_path)
|
||||||
|
@ -70,7 +70,7 @@ def shelve(request):
|
||||||
):
|
):
|
||||||
current_read_status_shelfbook.delete()
|
current_read_status_shelfbook.delete()
|
||||||
else: # It is already on the shelf
|
else: # It is already on the shelf
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("/")
|
||||||
|
|
||||||
# create the new shelf-book entry
|
# create the new shelf-book entry
|
||||||
models.ShelfBook.objects.create(
|
models.ShelfBook.objects.create(
|
||||||
|
@ -86,7 +86,7 @@ def shelve(request):
|
||||||
# Might be good to alert, or reject the action?
|
# Might be good to alert, or reject the action?
|
||||||
except IntegrityError:
|
except IntegrityError:
|
||||||
pass
|
pass
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("/")
|
||||||
|
|
||||||
|
|
||||||
@login_required
|
@login_required
|
||||||
|
@ -100,4 +100,4 @@ def unshelve(request, book_id=False):
|
||||||
)
|
)
|
||||||
shelf_book.raise_not_deletable(request.user)
|
shelf_book.raise_not_deletable(request.user)
|
||||||
shelf_book.delete()
|
shelf_book.delete()
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("/")
|
||||||
|
|
|
@ -82,7 +82,7 @@ class CreateStatus(View):
|
||||||
if is_api_request(request):
|
if is_api_request(request):
|
||||||
logger.exception(form.errors)
|
logger.exception(form.errors)
|
||||||
return HttpResponseBadRequest()
|
return HttpResponseBadRequest()
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("/")
|
||||||
|
|
||||||
status = form.save(commit=False)
|
status = form.save(commit=False)
|
||||||
# save the plain, unformatted version of the status for future editing
|
# save the plain, unformatted version of the status for future editing
|
||||||
|
@ -146,7 +146,7 @@ class DeleteStatus(View):
|
||||||
|
|
||||||
# perform deletion
|
# perform deletion
|
||||||
status.delete()
|
status.delete()
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("/")
|
||||||
|
|
||||||
|
|
||||||
@login_required
|
@login_required
|
||||||
|
@ -195,7 +195,7 @@ def edit_readthrough(request):
|
||||||
|
|
||||||
if is_api_request(request):
|
if is_api_request(request):
|
||||||
return HttpResponse()
|
return HttpResponse()
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("/")
|
||||||
|
|
||||||
|
|
||||||
def find_mentions(content):
|
def find_mentions(content):
|
||||||
|
|
|
@ -164,7 +164,7 @@ def hide_suggestions(request):
|
||||||
"""not everyone wants user suggestions"""
|
"""not everyone wants user suggestions"""
|
||||||
request.user.show_suggested_users = False
|
request.user.show_suggested_users = False
|
||||||
request.user.save(broadcast=False, update_fields=["show_suggested_users"])
|
request.user.save(broadcast=False, update_fields=["show_suggested_users"])
|
||||||
return redirect(request.headers.get("Referer", "/"))
|
return redirect("/")
|
||||||
|
|
||||||
|
|
||||||
# pylint: disable=unused-argument
|
# pylint: disable=unused-argument
|
||||||
|
|
Loading…
Reference in a new issue