From 5c17dd739ac4e58312d831ba3b064af9196b5d9e Mon Sep 17 00:00:00 2001 From: Christian Glatthard Date: Wed, 12 Aug 2015 18:25:42 +0200 Subject: [PATCH] validate POST parameters with isdigit where needed, add preselected empty values to select boxes and make them required where necessary --- .../collaborationgroups/modal_addusers.html | 2 +- .../web/containers/modal_create.html | 2 +- .../templates/web/images/modal_create.html | 2 +- .../templates/web/shares/modal_addgroups.html | 2 +- .../templates/web/shares/modal_addusers.html | 2 +- ipynbsrv/web/views/collaborationgroups.py | 15 +++++---- ipynbsrv/web/views/containers.py | 31 +++++++++++-------- ipynbsrv/web/views/images.py | 2 +- ipynbsrv/web/views/notifications.py | 6 ++-- ipynbsrv/web/views/shares.py | 6 ++-- 10 files changed, 39 insertions(+), 31 deletions(-) diff --git a/ipynbsrv/web/templates/web/collaborationgroups/modal_addusers.html b/ipynbsrv/web/templates/web/collaborationgroups/modal_addusers.html index 81d3fa6..82fde3c 100644 --- a/ipynbsrv/web/templates/web/collaborationgroups/modal_addusers.html +++ b/ipynbsrv/web/templates/web/collaborationgroups/modal_addusers.html @@ -14,7 +14,7 @@

Add users

- {% for user in users %} {% if user.backend_user and user.backend_user.id not in group.member_ids %} diff --git a/ipynbsrv/web/templates/web/containers/modal_create.html b/ipynbsrv/web/templates/web/containers/modal_create.html index 73940bc..8a938b0 100644 --- a/ipynbsrv/web/templates/web/containers/modal_create.html +++ b/ipynbsrv/web/templates/web/containers/modal_create.html @@ -23,7 +23,7 @@

New container

- + {% for ct in containers %} {% endfor %} diff --git a/ipynbsrv/web/templates/web/shares/modal_addgroups.html b/ipynbsrv/web/templates/web/shares/modal_addgroups.html index 43e4cd3..2b4a39e 100644 --- a/ipynbsrv/web/templates/web/shares/modal_addgroups.html +++ b/ipynbsrv/web/templates/web/shares/modal_addgroups.html @@ -15,7 +15,7 @@

Add share user

- {% for group in groups %} {% if group.id not in share.access_group_ids and not group.is_single_user_group %} diff --git a/ipynbsrv/web/templates/web/shares/modal_addusers.html b/ipynbsrv/web/templates/web/shares/modal_addusers.html index 2322004..07e8fc8 100644 --- a/ipynbsrv/web/templates/web/shares/modal_addusers.html +++ b/ipynbsrv/web/templates/web/shares/modal_addusers.html @@ -15,7 +15,7 @@

Add share user

- {% for user in users %} {% if user.backend_user.collab_group %} {% if user.backend_user.collab_group.id not in share.access_group_ids and user != request.user %} diff --git a/ipynbsrv/web/views/collaborationgroups.py b/ipynbsrv/web/views/collaborationgroups.py index 8848f82..522cd75 100644 --- a/ipynbsrv/web/views/collaborationgroups.py +++ b/ipynbsrv/web/views/collaborationgroups.py @@ -86,7 +86,7 @@ def delete(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('groups') - if 'group_id' not in request.POST: + if 'group_id' not in request.POST or not request.POST.get('group_id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('shares') @@ -112,7 +112,8 @@ def add_admin(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('shares') - if 'group_id' not in request.POST or 'user_id' not in request.POST: + if 'group_id' not in request.POST or not request.POST.get('group_id').isdigit() \ + or 'user_id' not in request.POST or not request.POST.get('user_id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('shares') @@ -149,7 +150,8 @@ def remove_admin(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('shares') - if 'group_id' not in request.POST or 'user_id' not in request.POST: + if 'group_id' not in request.POST or not request.POST.get('group_id').isdigit() \ + or 'user_id' not in request.POST or not request.POST.get('user_id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('shares') @@ -216,7 +218,8 @@ def remove_member(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('groups') - if 'group_id' not in request.POST or 'user_id' not in request.POST: + if 'group_id' not in request.POST or not request.POST.get('group_id').isdigit() \ + or 'user_id' not in request.POST or not request.POST.get('user_id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('groups') @@ -255,7 +258,7 @@ def leave(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('groups') - if 'group_id' not in request.POST: + if 'group_id' not in request.POST or not request.POST.get('group_id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('groups') @@ -284,7 +287,7 @@ def join(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('shares') - if 'group_id' not in request.POST: + if 'group_id' not in request.POST or not request.POST.get('group_id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('groups') diff --git a/ipynbsrv/web/views/containers.py b/ipynbsrv/web/views/containers.py index 606d3b8..4c7fa63 100644 --- a/ipynbsrv/web/views/containers.py +++ b/ipynbsrv/web/views/containers.py @@ -17,7 +17,8 @@ def create_snapshot(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('containers') - if 'ct_id' not in request.POST or 'name' not in request.POST: + if 'ct_id' not in request.POST or not request.POST.get('ct_id').isdigit() \ + or 'name' not in request.POST: messages.error(request, "Invalid POST request.") return redirect('containers') @@ -49,7 +50,7 @@ def clone(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('containers') - if 'id' not in request.POST: + if 'id' not in request.POST or not request.POST.get('id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('containers') @@ -79,7 +80,8 @@ def commit(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('images') - if 'ct_id' not in request.POST or 'img_name' not in request.POST or 'description' not in request.POST: + if 'ct_id' not in request.POST or not request.POST.get('ct_id').isdigit() \ + or 'img_name' not in request.POST or 'description' not in request.POST: messages.error(request, "Invalid POST request.") return redirect('images') @@ -115,10 +117,12 @@ def create(request): """ Todo: write doc. """ + print(request.POST) if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('images') - if 'name' not in request.POST or 'description' not in request.POST or 'image_id' not in request.POST: + if 'name' not in request.POST or 'description' not in request.POST \ + or 'image_id' not in request.POST or not request.POST.get('image_id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('images') @@ -155,7 +159,7 @@ def delete(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('containers') - if 'id' not in request.POST: + if 'id' not in request.POST or not request.POST.get('id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('containers') @@ -207,7 +211,7 @@ def restart(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('containers') - if 'id' not in request.POST: + if 'id' not in request.POST or not request.POST.get('id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('containers') @@ -240,7 +244,7 @@ def start(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('containers') - if 'id' not in request.POST: + if 'id' not in request.POST or not request.POST.get('id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('containers') @@ -273,7 +277,7 @@ def stop(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('containers') - if 'id' not in request.POST: + if 'id' not in request.POST or not request.POST.get('id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('containers') @@ -306,7 +310,7 @@ def suspend(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('containers') - if 'id' not in request.POST: + if 'id' not in request.POST or not request.POST.get('id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('containers') @@ -339,7 +343,7 @@ def resume(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('containers') - if 'id' not in request.POST: + if 'id' not in request.POST or not request.POST.get('id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('containers') @@ -374,7 +378,7 @@ def restore_snapshot(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('containers') - if 'id' not in request.POST: + if 'id' not in request.POST or not request.POST.get('id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('containers') @@ -388,7 +392,7 @@ def restore_snapshot(request): # restore snapshot try: client.containers.snapshots(id).restore.post() - messages.success(request, "Sucessfully restored snapshot `{}`.".format(snapshot.name) + messages.success(request, "Sucessfully restored snapshot `{}`.".format(snapshot.name)) except Exception as e: messages.error(request, api_error_message(e, "")) else: @@ -406,7 +410,8 @@ def delete_snapshot(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('containers') - if 'id' not in request.POST or 'ct_id' not in request.POST: + if 'id' not in request.POST or not request.POST.get('id').isdgit() \ + or 'ct_id' not in request.POST or not request.get('ct_id').isdgit(): messages.error(request, "Invalid POST request.") return redirect('containers') diff --git a/ipynbsrv/web/views/images.py b/ipynbsrv/web/views/images.py index f6441fe..d7a6a97 100644 --- a/ipynbsrv/web/views/images.py +++ b/ipynbsrv/web/views/images.py @@ -12,7 +12,7 @@ def delete(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('images') - if 'id' not in request.POST: + if 'id' not in request.POST or not request.POST.get('id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('images') diff --git a/ipynbsrv/web/views/notifications.py b/ipynbsrv/web/views/notifications.py index 9057edf..b1e2a69 100644 --- a/ipynbsrv/web/views/notifications.py +++ b/ipynbsrv/web/views/notifications.py @@ -46,7 +46,8 @@ def create(request): messages.error(request, "Invalid request method.") return redirect('notifications') # Todo: validate POST params: receiver_group, msg, type, rel objs - if 'receiver_groups' not in request.POST or 'message' not in request.POST or 'notification_type' not in request.POST: + if 'receiver_groups' not in request.POST or 'message' not in request.POST \ + or 'notification_type' not in request.POST: messages.error(request, "Invalid POST request.") return redirect('notifications') @@ -77,8 +78,7 @@ def mark_as_read(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('notifications') - # Todo: validate POST params: receiver_group, msg, type, rel objs - if 'id' not in request.POST: + if 'id' not in request.POST or not request.POST.get('id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('notifications') diff --git a/ipynbsrv/web/views/shares.py b/ipynbsrv/web/views/shares.py index f791694..fd1ca46 100644 --- a/ipynbsrv/web/views/shares.py +++ b/ipynbsrv/web/views/shares.py @@ -91,7 +91,7 @@ def share_add_access_groups(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('shares') - if 'id' not in request.POST or 'access_groups' not in request.POST: + if 'id' not in request.POST or not request.POST.get('id').isdigit() or 'access_groups' not in request.POST: messages.error(request, "Invalid POST request.") return redirect('shares') @@ -149,7 +149,7 @@ def delete(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('shares') - if 'share_id' not in request.POST: + if 'share_id' not in request.POST or not request.POST.get('share_id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('shares') @@ -178,7 +178,7 @@ def leave(request): if request.method != "POST": messages.error(request, "Invalid request method.") return redirect('shares') - if 'id' not in request.POST: + if 'id' not in request.POST or not request.POST.get('id').isdigit(): messages.error(request, "Invalid POST request.") return redirect('shares')