mirrors/bookwyrm
1
0
Fork 1
mirror of https://github.com/bookwyrm-social/bookwyrm.git synced 2024-06-03 05:49:35 +00:00
Code Issues Projects Releases Wiki Activity
bookwyrm/bookwyrm/views/interaction.py
Mouse Reeve 661865de87 Remmoves insecure redirects 
This should really fundamentally work differently, but this is a quick
for for now to avoid an insecure redirect. There will be a negative
impact on user experience from this, and a followup change should look
into these views and improve their flow.
2022-07-14 11:22:17 -07:00

98 lines
3 KiB
Python
Raw Blame History

""" boosts and favs """
from django.contrib.auth.decorators import login_required
from django.core.cache import cache
from django.db import IntegrityError
from django.http import HttpResponse, HttpResponseBadRequest, HttpResponseNotFound
from django.shortcuts import redirect
from django.utils.decorators import method_decorator
from django.views import View
from bookwyrm import models
from .helpers import is_api_request
# pylint: disable= no-self-use
@method_decorator(login_required, name="dispatch")
class Favorite(View):
"""like a status"""
def post(self, request, status_id):
"""create a like"""
cache.delete(f"fav-{request.user.id}-{status_id}")
status = models.Status.objects.get(id=status_id)
try:
models.Favorite.objects.create(status=status, user=request.user)
except IntegrityError:
# you already fav'ed that
return HttpResponseBadRequest()
if is_api_request(request):
return HttpResponse()
return redirect("/")
@method_decorator(login_required, name="dispatch")
class Unfavorite(View):
"""take back a fav"""
def post(self, request, status_id):
"""unlike a status"""
cache.delete(f"fav-{request.user.id}-{status_id}")
status = models.Status.objects.get(id=status_id)
try:
favorite = models.Favorite.objects.get(status=status, user=request.user)
except models.Favorite.DoesNotExist:
# can't find that status, idk
return HttpResponseNotFound()
favorite.delete()
if is_api_request(request):
return HttpResponse()
return redirect("/")
@method_decorator(login_required, name="dispatch")
class Boost(View):
"""boost a status"""
def post(self, request, status_id):
"""boost a status"""
cache.delete(f"boost-{request.user.id}-{status_id}")
status = models.Status.objects.get(id=status_id)
# is it boostable?
if not status.boostable:
return HttpResponseBadRequest()
if models.Boost.objects.filter(
boosted_status=status, user=request.user
).exists():
# you already boosted that.
return redirect("/")
models.Boost.objects.create(
boosted_status=status,
privacy=status.privacy,
user=request.user,
)
if is_api_request(request):
return HttpResponse()
return redirect("/")
@method_decorator(login_required, name="dispatch")
class Unboost(View):
"""boost a status"""
def post(self, request, status_id):
"""boost a status"""
cache.delete(f"boost-{request.user.id}-{status_id}")
status = models.Status.objects.get(id=status_id)
boost = models.Boost.objects.filter(
boosted_status=status, user=request.user
).first()
boost.delete()
if is_api_request(request):
return HttpResponse()
return redirect("/")
Reference in a new issue View git blame Copy permalink