Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge branch 'security-fix'

  • Loading branch information...
commit 2b906a4f85acc54c72d4a9f569da4ecf63a59eb3 2 parents 4a323a2 + 688eda2
@paltman paltman authored
View
7 docs/changelog.rst
@@ -5,12 +5,19 @@ ChangeLog
0.3
---
+
+- Renamed `likes_css` and `likes_widget` to `phileo_css` and `phileo_widget`
- Turned the JavaScript code in to a jQuery plugin, removed most of the initialization
code from the individual widget templates to a external JavaScript file, and added a
{% phileo_js %} tag to load this plugin.
- Each like button gets a unique ID, so multiple like buttons can appear on a single
page
- The like form works without JavaScript.
+- Likeable models need to be added to `PHILEO_LIKABLE_MODELS` setting. This prevents users
+ from liking anything and everything, which could potentially lead to security problems
+ (eg. liking entries in permission tables, and thus seeing their content; liking
+ administrative users and thus getting their username).
+
0.2
---
View
21 docs/usage.rst
@@ -3,8 +3,21 @@
Usage
=====
-Phileo consists of template tags that you place within your project
-to get different "liking" functionality.
+In your settings
+----------------
+
+You need to add each model that you want to be likable to the
+`PHILEO_LIKABLE_MODELS` setting::
+
+ PHILEO_LIKABLE_MODELS = [
+ "profiles.Profile",
+ "videos.Video",
+ "biblion.Post"
+ ]
+
+
+In the views
+------------
Let's say you have a detail page for a blog post. First you will want
to load the tags::
@@ -14,7 +27,7 @@ to load the tags::
Then in the <head> section of your template load the css::
- {% likes_css %}
+ {% phileo_css %}
Load the required JavaScript file, wherever you load your JavaScript libraries::
@@ -24,7 +37,7 @@ Load the required JavaScript file, wherever you load your JavaScript libraries::
In the body where you want the liking widget to go, add::
- {% likes_widget request.user post %}
+ {% phileo_widget request.user post %}
That's all you need to do to get the basics working.
View
7 phileo/templatetags/phileo_tags.py
@@ -2,7 +2,6 @@
from django.conf import settings
from django.core.urlresolvers import reverse
-from django.contrib.auth.models import User
from django.contrib.contenttypes.models import ContentType
from phileo.models import Like
@@ -61,16 +60,17 @@ def likes_count(obj):
@register.inclusion_tag("phileo/_css.html")
-def likes_css():
+def phileo_css():
return {"STATIC_URL": settings.STATIC_URL}
+
@register.inclusion_tag("phileo/_js.html")
def phileo_js():
return {"STATIC_URL": settings.STATIC_URL}
@register.inclusion_tag("phileo/_widget.html")
-def likes_widget(user, obj, widget_id=None, like_type="like", toggle_class="phileo-liked"):
+def phileo_widget(user, obj, widget_id=None, like_type="like", toggle_class="phileo-liked"):
ct = ContentType.objects.get_for_model(obj)
like_count = Like.objects.filter(
@@ -103,6 +103,7 @@ def likes_widget(user, obj, widget_id=None, like_type="like", toggle_class="phil
"is_liked": toggle_class if liked else ""
}
+
class LikedObjectsNode(template.Node):
def __init__(self, objects, user, varname):
View
14 phileo/views.py
@@ -1,7 +1,8 @@
from django.contrib.auth.decorators import login_required
from django.contrib.contenttypes.models import ContentType
-from django.http import HttpResponse
+from django.conf import settings
+from django.http import HttpResponse, HttpResponseForbidden
from django.utils import simplejson as json
from django.shortcuts import get_object_or_404, redirect
from django.views.decorators.http import require_POST
@@ -10,11 +11,22 @@
from phileo.signals import object_liked, object_unliked
+LIKABLE_MODELS = getattr(settings, "PHILEO_LIKABLE_MODELS", [])
+
+
+def _allowed(obj):
+ model_name = "%s.%s" % (obj._meta.app_label, obj._meta.object_name)
+ return model_name in LIKABLE_MODELS
+
+
@require_POST
@login_required
def like_toggle(request, content_type_id, object_id):
content_type = get_object_or_404(ContentType, pk=content_type_id)
+ if not _allowed(content_type.model_class()):
+ return HttpResponseForbidden()
+
like, created = Like.objects.get_or_create(
sender = request.user,
receiver_content_type = content_type,
Please sign in to comment.
Something went wrong with that request. Please try again.