Merge branch 'security-fix'

docs/changelog.rst

@@ -5,12 +5,19 @@ ChangeLog
 
 0.3
 ---
+
+- Renamed `likes_css` and `likes_widget` to `phileo_css` and `phileo_widget`
 - Turned the JavaScript code in to a jQuery plugin, removed most of the initialization
   code from the individual widget templates to a external JavaScript file, and added a
   {% phileo_js %} tag to load this plugin.
 - Each like button gets a unique ID, so multiple like buttons can appear on a single
   page
 - The like form works without JavaScript.
+- Likeable models need to be added to `PHILEO_LIKABLE_MODELS` setting. This prevents users
+  from liking anything and everything, which could potentially lead to security problems
+  (eg. liking entries in permission tables, and thus seeing their content; liking
+  administrative users and thus getting their username).
+
 
 0.2
 ---

docs/usage.rst

@@ -3,8 +3,21 @@
 Usage
 =====
 
-Phileo consists of template tags that you place within your project
-to get different "liking" functionality.
+In your settings
+----------------
+
+You need to add each model that you want to be likable to the
+`PHILEO_LIKABLE_MODELS` setting::
+
+    PHILEO_LIKABLE_MODELS = [
+        "profiles.Profile",
+        "videos.Video",
+        "biblion.Post"
+    ]
+
+
+In the views
+------------
 
 Let's say you have a detail page for a blog post. First you will want
 to load the tags::
@@ -14,7 +27,7 @@ to load the tags::
 
 Then in the <head> section of your template load the css::
 
-    {% likes_css %}
+    {% phileo_css %}
 
 
 Load the required JavaScript file, wherever you load your JavaScript libraries::
@@ -24,7 +37,7 @@ Load the required JavaScript file, wherever you load your JavaScript libraries::
 
 In the body where you want the liking widget to go, add::
 
-    {% likes_widget request.user post %}
+    {% phileo_widget request.user post %}
 
 
 That's all you need to do to get the basics working.

phileo/templatetags/phileo_tags.py

@@ -2,7 +2,6 @@
 from django.conf import settings
 from django.core.urlresolvers import reverse
 
-from django.contrib.auth.models import User
 from django.contrib.contenttypes.models import ContentType
 
 from phileo.models import Like
@@ -61,16 +60,17 @@ def likes_count(obj):
 
 
 @register.inclusion_tag("phileo/_css.html")
-def likes_css():
+def phileo_css():
     return {"STATIC_URL": settings.STATIC_URL}
 
+
 @register.inclusion_tag("phileo/_js.html")
 def phileo_js():
     return {"STATIC_URL": settings.STATIC_URL}
 
 
 @register.inclusion_tag("phileo/_widget.html")
-def likes_widget(user, obj, widget_id=None, like_type="like", toggle_class="phileo-liked"):
+def phileo_widget(user, obj, widget_id=None, like_type="like", toggle_class="phileo-liked"):
     ct = ContentType.objects.get_for_model(obj)
 
     like_count = Like.objects.filter(
@@ -103,6 +103,7 @@ def likes_widget(user, obj, widget_id=None, like_type="like", toggle_class="phil
         "is_liked": toggle_class if liked else ""
     }
 
+
 class LikedObjectsNode(template.Node):
 
     def __init__(self, objects, user, varname):

phileo/views.py

@@ -1,7 +1,8 @@
 from django.contrib.auth.decorators import login_required
 from django.contrib.contenttypes.models import ContentType
 
-from django.http import HttpResponse
+from django.conf import settings
+from django.http import HttpResponse, HttpResponseForbidden
 from django.utils import simplejson as json
 from django.shortcuts import get_object_or_404, redirect
 from django.views.decorators.http import require_POST
@@ -10,11 +11,22 @@
 from phileo.signals import object_liked, object_unliked
 
 
+LIKABLE_MODELS = getattr(settings, "PHILEO_LIKABLE_MODELS", [])
+
+
+def _allowed(obj):
+    model_name = "%s.%s" % (obj._meta.app_label, obj._meta.object_name)
+    return model_name in LIKABLE_MODELS
+
+
 @require_POST
 @login_required
 def like_toggle(request, content_type_id, object_id):
     content_type = get_object_or_404(ContentType, pk=content_type_id)
 
+    if not _allowed(content_type.model_class()):
+        return HttpResponseForbidden()
+
     like, created = Like.objects.get_or_create(
         sender = request.user,
         receiver_content_type = content_type,