|
35 | 35 | import warnings |
36 | 36 | from past.builtins import unicode |
37 | 37 | from future.utils import bytes_to_native_str |
| 38 | +from django.utils.http import is_safe_url |
38 | 39 |
|
39 | 40 | from time import time |
40 | 41 |
|
|
67 | 68 |
|
68 | 69 | from omeroweb.webclient.webclient_utils import _formatReport, _purgeCallback |
69 | 70 | from .forms import GlobalSearchForm, ContainerForm |
70 | | -from .forms import ShareForm, BasketShareForm |
| 71 | +from .forms import ShareForm |
71 | 72 | from .forms import ContainerNameForm, ContainerDescriptionForm |
72 | 73 | from .forms import CommentAnnotationForm, TagsAnnotationForm |
73 | 74 | from .forms import MetadataFilterForm, MetadataDetectorForm |
@@ -176,6 +177,17 @@ def get_bool_or_default(request, name, default): |
176 | 177 | return toBoolean(request.GET.get(name, default)) |
177 | 178 |
|
178 | 179 |
|
| 180 | +def validate_redirect_url(url): |
| 181 | + """ |
| 182 | + Returns a URL is safe to redirect to. |
| 183 | + If url is a different host, not in settings.REDIRECT_ALLOWED_HOSTS |
| 184 | + we return webclient index URL. |
| 185 | + """ |
| 186 | + if not is_safe_url(url, allowed_hosts=settings.REDIRECT_ALLOWED_HOSTS): |
| 187 | + url = reverse("webindex") |
| 188 | + return url |
| 189 | + |
| 190 | + |
179 | 191 | ############################################################################## |
180 | 192 | # custom index page |
181 | 193 |
|
@@ -257,6 +269,8 @@ def handle_logged_in(self, request, conn, connector): |
257 | 269 | url = parse_url(settings.LOGIN_REDIRECT) |
258 | 270 | except Exception: |
259 | 271 | url = reverse("webindex") |
| 272 | + else: |
| 273 | + url = validate_redirect_url(url) |
260 | 274 | return HttpResponseRedirect(url) |
261 | 275 |
|
262 | 276 | def handle_not_logged_in(self, request, error=None, form=None): |
@@ -335,6 +349,7 @@ def change_active_group(request, conn=None, url=None, **kwargs): |
335 | 349 | """ |
336 | 350 | switch_active_group(request) |
337 | 351 | url = url or reverse("webindex") |
| 352 | + url = validate_redirect_url(url) |
338 | 353 | return HttpResponseRedirect(url) |
339 | 354 |
|
340 | 355 |
|
@@ -534,6 +549,7 @@ def _load_template(request, menu, conn=None, url=None, **kwargs): |
534 | 549 | context["thumbnails_batch"] = settings.THUMBNAILS_BATCH |
535 | 550 | context["current_admin_privileges"] = conn.getCurrentAdminPrivileges() |
536 | 551 | context["leader_of_groups"] = conn.getEventContext().leaderOfGroups |
| 552 | + context["member_of_groups"] = conn.getEventContext().memberOfGroups |
537 | 553 |
|
538 | 554 | return context |
539 | 555 |
|
@@ -2871,47 +2887,6 @@ def manage_action_containers( |
2871 | 2887 | d.update({e[0]: unicode(e[1])}) |
2872 | 2888 | rdict = {"bad": "true", "errs": d} |
2873 | 2889 | return JsonResponse(rdict) |
2874 | | - elif action == "add": |
2875 | | - template = "webclient/public/share_form.html" |
2876 | | - experimenters = list(conn.getExperimenters()) |
2877 | | - experimenters.sort(key=lambda x: x.getOmeName().lower()) |
2878 | | - if o_type == "share": |
2879 | | - img_ids = request.GET.getlist("image", request.POST.getlist("image")) |
2880 | | - if request.method == "GET" and len(img_ids) == 0: |
2881 | | - return HttpResponse("No images specified") |
2882 | | - images_to_share = list(conn.getObjects("Image", img_ids)) |
2883 | | - if request.method == "POST": |
2884 | | - form = BasketShareForm( |
2885 | | - initial={"experimenters": experimenters, "images": images_to_share}, |
2886 | | - data=request.POST.copy(), |
2887 | | - ) |
2888 | | - if form.is_valid(): |
2889 | | - images = form.cleaned_data["image"] |
2890 | | - message = form.cleaned_data["message"] |
2891 | | - expiration = form.cleaned_data["expiration"] |
2892 | | - members = form.cleaned_data["members"] |
2893 | | - # guests = request.POST['guests'] |
2894 | | - enable = form.cleaned_data["enable"] |
2895 | | - host = "%s?server=%i" % ( |
2896 | | - request.build_absolute_uri( |
2897 | | - reverse("load_template", args=["public"]) |
2898 | | - ), |
2899 | | - int(conn.server_id), |
2900 | | - ) |
2901 | | - shareId = manager.createShare( |
2902 | | - host, images, message, members, enable, expiration |
2903 | | - ) |
2904 | | - return HttpResponse("shareId:%s" % shareId) |
2905 | | - else: |
2906 | | - initial = { |
2907 | | - "experimenters": experimenters, |
2908 | | - "images": images_to_share, |
2909 | | - "enable": True, |
2910 | | - "selected": request.GET.getlist("image"), |
2911 | | - } |
2912 | | - form = BasketShareForm(initial=initial) |
2913 | | - template = "webclient/public/share_form.html" |
2914 | | - context = {"manager": manager, "form": form} |
2915 | 2890 |
|
2916 | 2891 | elif action == "edit": |
2917 | 2892 | # form for editing Shares only |
|
0 commit comments