Address review commends, thx @Mogost

django-hijack · Mar 16, 2021 · 1c6b805 · 1c6b805
1 parent 557eb63
commit 1c6b805
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 37 deletions.
diff --git a/docs/security.md b/docs/security.md
@@ -21,7 +21,7 @@ on all or views. This is also why we only support `POST` requests.
 
 [csrf_protect]: https://docs.djangoproject.com/en/stable/ref/csrf/#django.views.decorators.csrf.csrf_protect
 
-### Session injection
+### Session injection / poisoning
 
 Django's session engines, especially the `signed_cookies` engine, try to prevent session
 injection as much as possible. However, you should make sure, that you do not use
@@ -42,8 +42,8 @@ to avoid argument mismatching.
 If you create your own permission check, make sure to test your implementation against
 all possible scenarios to prevent permission escalation.
 
-### Layout
+### Undeliberate action
 
 The hijack notification can not be permanently hidden, but only for a single request.
-This is to protect users form performing operations as another user without their
+This is to protect users from performing operations as another user without their
 knowledge.
diff --git a/hijack/tests/test_app/urls.py b/hijack/tests/test_app/urls.py
@@ -8,7 +8,9 @@
 urlpatterns = [
     path("hijack/", include("hijack.urls", namespace="hijack")),
     path("users/", views.UserListView.as_view(), name="user-list"),
-    path("accounts/profile", views.UserDetailView.as_view(), name="user-detail"),
-    path("bye-bye", TemplateView.as_view(template_name="bye_bye.html"), name="bye-bye"),
+    path("accounts/profile/", views.UserDetailView.as_view(), name="user-detail"),
+    path(
+        "bye-bye/", TemplateView.as_view(template_name="bye_bye.html"), name="bye-bye"
+    ),
     path("admin/", admin.site.urls),
 ]
diff --git a/hijack/tests/test_views.py b/hijack/tests/test_views.py
@@ -12,36 +12,21 @@ def test_acquire(self, admin_client, bob):
         assert (
             admin_client.get(self.user_detail_url).content == b'{"username": "admin"}'
         )
-        response = admin_client.post(
-            self.url,
-            {
-                "user_pk": bob.pk,
-            },
-        )
+        response = admin_client.post(self.url, {"user_pk": bob.pk})
         assert response.status_code == 302
         assert admin_client.get(self.user_detail_url).content == b'{"username": "bob"}'
 
     def test_acquire__denied(self, eve_client, bob):
         assert eve_client.get(self.user_detail_url).content == b'{"username": "eve"}'
-        response = eve_client.post(
-            self.url,
-            {
-                "user_pk": bob.pk,
-            },
-        )
+        response = eve_client.post(self.url, {"user_pk": bob.pk})
         assert response.status_code == 403
         assert eve_client.get(self.user_detail_url).content == b'{"username": "eve"}'
 
     def test_success_url__default(self, admin_client, bob):
         assert (
             admin_client.get(self.user_detail_url).content == b'{"username": "admin"}'
         )
-        response = admin_client.post(
-            self.url,
-            {
-                "user_pk": bob.pk,
-            },
-        )
+        response = admin_client.post(self.url, {"user_pk": bob.pk})
         assert response.status_code == 302
         assert response["Location"] == "/accounts/profile/"
 
@@ -118,21 +103,11 @@ def test_acquire_release(self, settings, admin_client, bob, alice):
         assert (
             admin_client.get(self.user_detail_url).content == b'{"username": "admin"}'
         )
-        response = admin_client.post(
-            self.acquire_url,
-            {
-                "user_pk": bob.pk,
-            },
-        )
+        response = admin_client.post(self.acquire_url, {"user_pk": bob.pk})
         assert response.status_code == 302
         assert admin_client.get(self.user_detail_url).content == b'{"username": "bob"}'
 
-        response = admin_client.post(
-            self.acquire_url,
-            {
-                "user_pk": alice.pk,
-            },
-        )
+        response = admin_client.post(self.acquire_url, {"user_pk": alice.pk})
         assert response.status_code == 302
         assert (
             admin_client.get(self.user_detail_url).content == b'{"username": "alice"}'

diff --git a/package.json b/package.json
@@ -2,8 +2,8 @@
   "name": "django-hijack",
   "version": "1.0.0",
   "scripts": {
-    "build": "postcss hijack/static/hijack/hijack-styles.scss -o hijack/static/hijack/hijack-styles.css",
-    "build:watch": "postcss hijack/static/hijack/hijack-styles.scss -o hijack/static/hijack/hijack-styles.css -w",
+    "build": "postcss hijack/static/hijack/hijack.scss -o hijack/static/hijack/hijack.min.css",
+    "build:watch": "postcss hijack/static/hijack/hijack.scss -o hijack/static/hijack/hijack.min.css -w",
     "lint:scss": "stylelint \"**/*.scss\""
   },
   "repository": {