Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Do not allow all models to be liked #2

Closed
wants to merge 1 commit into from

2 participants

@timheap

Allowing all models to be liked introduces potential security risks. Users could like administrative users, for example, and find out their user name. Or, they could like entries in the permissions tables, and find out their values. Explicitly allowing models that can be bookmarked is safer.

@paltman
Owner

I think this is an excellent idea. I prefer to use a simple setting defined in settings.py that lists the models that are likeable similar to how django-activity-stream handles it, but will merge then in and modify.

@paltman
Owner

I merged in but then modified to be based on PHILEO_LIKABLE_MODELS list in settings.py than requiring a registry.

@paltman paltman closed this
@timheap

PHILEO_LIKABLE_MODELS sounds good to me. I based the registry off another generic bookmarking/liking app, which used a registry, however a list of models is much simpler. Thanks for merging!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Nov 28, 2011
  1. @timheap
This page is out of date. Refresh to see the latest.
View
1  .gitignore
@@ -0,0 +1 @@
+*.pyc
View
7 docs/changelog.rst
@@ -3,6 +3,13 @@
ChangeLog
=========
+0.3
+---
+- Likeable models need to be registered in Phileo. This prevents users from liking
+ anything and everything, which could potentially lead to security problems (eg. liking
+ entries in permission tables, and thus seeing their content; liking administrative
+ users and thus getting their username).
+
0.2
---
View
23 docs/usage.rst
@@ -3,8 +3,25 @@
Usage
=====
-Phileo consists of template tags that you place within your project
-to get different "liking" functionality.
+In your models
+--------------
+
+You need to register the models that will be 'likeable' with phileo, before
+you use phileo in templates::
+
+ # in models.py
+ from phileo.handlers import library as phileo_library
+
+ # Define your models ...
+
+ # Register a single model
+ phileo_library.register(Post)
+
+ # Register a bunch of models at once
+ phileo_library.register([Page, Entry, Comment, Photo])
+
+In the views
+------------
Let's say you have a detail page for a blog post. First you will want
to load the tags::
@@ -27,4 +44,4 @@ Then at the bottom of your page where include your javascript::
{% likes_js request.user post %}
-That's all you need to do to get the basics working.
+That's all you need to do to get the basics working.
View
19 phileo/handlers.py
@@ -0,0 +1,19 @@
+from django.db.models.base import ModelBase
+
+class Registry(object):
+ def __init__(self):
+ self._registry = []
+
+ def register(self, models):
+
+ if isinstance(models, ModelBase):
+ models = [models]
+
+ for model in models:
+ self._registry.append(model)
+
+ def is_registered(self, model):
+ return not (model in self._registry)
+
+library = Registry()
+
View
6 phileo/views.py
@@ -1,7 +1,7 @@
from django.contrib.auth.decorators import login_required
from django.contrib.contenttypes.models import ContentType
-from django.http import HttpResponse
+from django.http import HttpResponse, HttpResponseForbidden
from django.utils import simplejson as json
from django.shortcuts import get_object_or_404, redirect
from django.views.decorators.http import require_POST
@@ -9,11 +9,15 @@
from phileo.models import Like
from phileo.signals import object_liked, object_unliked
+from phileo.handlers import library
+
@require_POST
@login_required
def like_toggle(request, content_type_id, object_id):
content_type = get_object_or_404(ContentType, pk=content_type_id)
+ if not library.is_registered(content_type.model_class):
+ return HttpResponseForbidden()
like, created = Like.objects.get_or_create(
sender = request.user,
Something went wrong with that request. Please try again.