Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Do not allow all models to be liked #2

Closed
wants to merge 1 commit into from

2 participants

Tim Heap Patrick Altman
Tim Heap

Allowing all models to be liked introduces potential security risks. Users could like administrative users, for example, and find out their user name. Or, they could like entries in the permissions tables, and find out their values. Explicitly allowing models that can be bookmarked is safer.

Patrick Altman
Owner

I think this is an excellent idea. I prefer to use a simple setting defined in settings.py that lists the models that are likeable similar to how django-activity-stream handles it, but will merge then in and modify.

Patrick Altman paltman closed this November 28, 2011
Patrick Altman
Owner

I merged in but then modified to be based on PHILEO_LIKABLE_MODELS list in settings.py than requiring a registry.

Tim Heap

PHILEO_LIKABLE_MODELS sounds good to me. I based the registry off another generic bookmarking/liking app, which used a registry, however a list of models is much simpler. Thanks for merging!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Showing 1 unique commit by 1 author.

Nov 28, 2011
Tim Heap Likeable models must be registered with phileo first babdfb3
This page is out of date. Refresh to see the latest.
1  .gitignore
... ...
@@ -0,0 +1 @@
  1
+*.pyc
7  docs/changelog.rst
Source Rendered
@@ -3,6 +3,13 @@
3 3
 ChangeLog
4 4
 =========
5 5
 
  6
+0.3
  7
+---
  8
+- Likeable models need to be registered in Phileo. This prevents users from liking
  9
+  anything and everything, which could potentially lead to security problems (eg. liking
  10
+  entries in permission tables, and thus seeing their content; liking administrative
  11
+  users and thus getting their username).
  12
+
6 13
 0.2
7 14
 ---
8 15
 
23  docs/usage.rst
Source Rendered
@@ -3,8 +3,25 @@
3 3
 Usage
4 4
 =====
5 5
 
6  
-Phileo consists of template tags that you place within your project
7  
-to get different "liking" functionality.
  6
+In your models
  7
+--------------
  8
+
  9
+You need to register the models that will be 'likeable' with phileo, before
  10
+you use phileo in templates::
  11
+
  12
+    # in models.py
  13
+    from phileo.handlers import library as phileo_library
  14
+
  15
+    # Define your models ...
  16
+
  17
+    # Register a single model
  18
+    phileo_library.register(Post)
  19
+
  20
+    # Register a bunch of models at once
  21
+    phileo_library.register([Page, Entry, Comment, Photo])
  22
+
  23
+In the views
  24
+------------
8 25
 
9 26
 Let's say you have a detail page for a blog post. First you will want
10 27
 to load the tags::
@@ -27,4 +44,4 @@ Then at the bottom of your page where include your javascript::
27 44
     {% likes_js request.user post %}
28 45
 
29 46
 
30  
-That's all you need to do to get the basics working.
  47
+That's all you need to do to get the basics working.
19  phileo/handlers.py
... ...
@@ -0,0 +1,19 @@
  1
+from django.db.models.base import ModelBase
  2
+
  3
+class Registry(object):
  4
+    def __init__(self):
  5
+        self._registry = []
  6
+
  7
+    def register(self, models):
  8
+
  9
+        if isinstance(models, ModelBase):
  10
+            models = [models]
  11
+
  12
+        for model in models:
  13
+            self._registry.append(model)
  14
+
  15
+    def is_registered(self, model):
  16
+        return not (model in self._registry)
  17
+
  18
+library = Registry()
  19
+
6  phileo/views.py
... ...
@@ -1,7 +1,7 @@
1 1
 from django.contrib.auth.decorators import login_required
2 2
 from django.contrib.contenttypes.models import ContentType
3 3
 
4  
-from django.http import HttpResponse
  4
+from django.http import HttpResponse, HttpResponseForbidden
5 5
 from django.utils import simplejson as json
6 6
 from django.shortcuts import get_object_or_404, redirect
7 7
 from django.views.decorators.http import require_POST
@@ -9,11 +9,15 @@
9 9
 from phileo.models import Like
10 10
 from phileo.signals import object_liked, object_unliked
11 11
 
  12
+from phileo.handlers import library
  13
+
12 14
 
13 15
 @require_POST
14 16
 @login_required
15 17
 def like_toggle(request, content_type_id, object_id):
16 18
     content_type = get_object_or_404(ContentType, pk=content_type_id)
  19
+    if not library.is_registered(content_type.model_class):
  20
+        return HttpResponseForbidden()
17 21
     
18 22
     like, created = Like.objects.get_or_create(
19 23
         sender = request.user,
Commit_comment_tip

Tip: You can add notes to lines in a file. Hover to the left of a line to make a note

Something went wrong with that request. Please try again.