marcel/linkding
1
0
Fork 0
mirror of https://github.com/sissbruecker/linkding.git synced 2025-08-08 03:08:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Enforce CSRF check for acknowledging toasts

Browse Source
This commit is contained in:
Sascha Ißbrücker
2022-05-20 16:51:50 +02:00
parent e14458f5cd
commit 117160ea87
4 changed files with 29 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
bookmarks/templates/bookmarks/layout.html
View File

@@ -30,12 +30,15 @@
<header> <header>
{% if has_toasts %} {% if has_toasts %}
<div class="toasts container grid-lg"> <div class="toasts container grid-lg">
<form action="{% url 'bookmarks:toasts.acknowledge' %}?return_url={{ request.path | urlencode }}" method="post">
{% csrf_token %}
{% for toast in toast_messages %} {% for toast in toast_messages %}
<div class="toast"> <div class="toast">
{{ toast.message }} {{ toast.message }}
<a href="{% url 'bookmarks:toasts.acknowledge' toast.id %}?return_url={{ request.path | urlencode }}" class="btn btn-clear float-right"></a> <button type="submit" name="toast" value="{{ toast.id }}" class="btn btn-clear float-right"></button>
</div> </div>
{% endfor %} {% endfor %}
</form>
</div> </div>
{% endif %} {% endif %}
<div class="navbar container grid-lg"> <div class="navbar container grid-lg">

28
bookmarks/tests/test_toasts_view.py
View File

@@ -60,12 +60,20 @@ class ToastsViewTestCase(TestCase, BookmarkFactoryMixin):
# Should not render toasts # Should not render toasts
self.assertContains(response, '<div class="toast">', count=0) self.assertContains(response, '<div class="toast">', count=0)
def test_form_tag(self):
self.create_toast()
expected_form_tag = f'<form action="{reverse("bookmarks:toasts.acknowledge")}?return_url={reverse("bookmarks:index")}" method="post">'
response = self.client.get(reverse('bookmarks:index'))
self.assertContains(response, expected_form_tag)
def test_toast_content(self): def test_toast_content(self):
toast = self.create_toast() toast = self.create_toast()
expected_toast = f''' expected_toast = f'''
<div class="toast"> <div class="toast">
{toast.message} {toast.message}
<a href="{reverse('bookmarks:toasts.acknowledge', args=[toast.id])}?return_url={reverse('bookmarks:index')}" class="btn btn-clear float-right"></a> <button type="submit" name="toast" value="{toast.id}" class="btn btn-clear float-right"></button>
</div> </div>
''' '''
@@ -77,7 +85,9 @@ class ToastsViewTestCase(TestCase, BookmarkFactoryMixin):
def test_acknowledge_toast(self): def test_acknowledge_toast(self):
toast = self.create_toast() toast = self.create_toast()
self.client.get(reverse('bookmarks:toasts.acknowledge', args=[toast.id])) self.client.post(reverse('bookmarks:toasts.acknowledge'), {
'toast': [toast.id],
})
toast.refresh_from_db() toast.refresh_from_db()
self.assertTrue(toast.acknowledged) self.assertTrue(toast.acknowledged)
@@ -85,17 +95,21 @@ class ToastsViewTestCase(TestCase, BookmarkFactoryMixin):
def test_acknowledge_toast_should_redirect_to_return_url(self): def test_acknowledge_toast_should_redirect_to_return_url(self):
toast = self.create_toast() toast = self.create_toast()
return_url = reverse('bookmarks:settings.general') return_url = reverse('bookmarks:settings.general')
acknowledge_url = reverse('bookmarks:toasts.acknowledge', args=[toast.id]) acknowledge_url = reverse('bookmarks:toasts.acknowledge')
acknowledge_url = acknowledge_url + '?return_url=' + return_url acknowledge_url = acknowledge_url + '?return_url=' + return_url
response = self.client.get(acknowledge_url) response = self.client.post(acknowledge_url, {
'toast': [toast.id],
})
self.assertRedirects(response, return_url) self.assertRedirects(response, return_url)
def test_acknowledge_toast_should_redirect_to_index_by_default(self): def test_acknowledge_toast_should_redirect_to_index_by_default(self):
toast = self.create_toast() toast = self.create_toast()
response = self.client.get(reverse('bookmarks:toasts.acknowledge', args=[toast.id])) response = self.client.post(reverse('bookmarks:toasts.acknowledge'), {
'toast': [toast.id],
})
self.assertRedirects(response, reverse('bookmarks:index')) self.assertRedirects(response, reverse('bookmarks:index'))
@@ -104,5 +118,7 @@ class ToastsViewTestCase(TestCase, BookmarkFactoryMixin):
other_user = User.objects.create_user('otheruser', 'otheruser@example.com', 'password123') other_user = User.objects.create_user('otheruser', 'otheruser@example.com', 'password123')
toast = self.create_toast(user=other_user) toast = self.create_toast(user=other_user)
response = self.client.get(reverse('bookmarks:toasts.acknowledge', args=[toast.id])) response = self.client.post(reverse('bookmarks:toasts.acknowledge'), {
'toast': [toast.id],
})
self.assertEqual(response.status_code, 404) self.assertEqual(response.status_code, 404)

2
bookmarks/urls.py
View File

@@ -23,7 +23,7 @@ urlpatterns = [
path('settings/import', views.settings.bookmark_import, name='settings.import'), path('settings/import', views.settings.bookmark_import, name='settings.import'),
path('settings/export', views.settings.bookmark_export, name='settings.export'), path('settings/export', views.settings.bookmark_export, name='settings.export'),
# Toasts # Toasts
path('toasts/<int:toast_id>/acknowledge', views.toasts.acknowledge, name='toasts.acknowledge'), path('toasts/acknowledge', views.toasts.acknowledge, name='toasts.acknowledge'),
# API # API
path('api/', include(router.urls), name='api') path('api/', include(router.urls), name='api')
] ]

3
bookmarks/views/toasts.py
View File

@@ -7,7 +7,8 @@ from bookmarks.utils import get_safe_return_url
@login_required @login_required
def acknowledge(request, toast_id: int): def acknowledge(request):
toast_id = request.POST['toast']
try: try:
toast = Toast.objects.get(pk=toast_id, owner=request.user) toast = Toast.objects.get(pk=toast_id, owner=request.user)
except Toast.DoesNotExist: except Toast.DoesNotExist: