Skip to content


Do not allow all models to be liked #2

wants to merge 1 commit into from

2 participants


Allowing all models to be liked introduces potential security risks. Users could like administrative users, for example, and find out their user name. Or, they could like entries in the permissions tables, and find out their values. Explicitly allowing models that can be bookmarked is safer.

Pinax Project member

I think this is an excellent idea. I prefer to use a simple setting defined in that lists the models that are likeable similar to how django-activity-stream handles it, but will merge then in and modify.

Pinax Project member

I merged in but then modified to be based on PHILEO_LIKABLE_MODELS list in than requiring a registry.

@paltman paltman closed this

PHILEO_LIKABLE_MODELS sounds good to me. I based the registry off another generic bookmarking/liking app, which used a registry, however a list of models is much simpler. Thanks for merging!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Nov 28, 2011
Showing with 52 additions and 4 deletions.
  1. +1 −0 .gitignore
  2. +7 −0 docs/changelog.rst
  3. +20 −3 docs/usage.rst
  4. +19 −0 phileo/
  5. +5 −1 phileo/
1 .gitignore
@@ -0,0 +1 @@
7 docs/changelog.rst
@@ -3,6 +3,13 @@
+- Likeable models need to be registered in Phileo. This prevents users from liking
+ anything and everything, which could potentially lead to security problems (eg. liking
+ entries in permission tables, and thus seeing their content; liking administrative
+ users and thus getting their username).
23 docs/usage.rst
@@ -3,8 +3,25 @@
-Phileo consists of template tags that you place within your project
-to get different "liking" functionality.
+In your models
+You need to register the models that will be 'likeable' with phileo, before
+you use phileo in templates::
+ # in
+ from phileo.handlers import library as phileo_library
+ # Define your models ...
+ # Register a single model
+ phileo_library.register(Post)
+ # Register a bunch of models at once
+ phileo_library.register([Page, Entry, Comment, Photo])
+In the views
Let's say you have a detail page for a blog post. First you will want
to load the tags::
@@ -27,4 +44,4 @@ Then at the bottom of your page where include your javascript::
{% likes_js request.user post %}
-That's all you need to do to get the basics working.
+That's all you need to do to get the basics working.
19 phileo/
@@ -0,0 +1,19 @@
+from django.db.models.base import ModelBase
+class Registry(object):
+ def __init__(self):
+ self._registry = []
+ def register(self, models):
+ if isinstance(models, ModelBase):
+ models = [models]
+ for model in models:
+ self._registry.append(model)
+ def is_registered(self, model):
+ return not (model in self._registry)
+library = Registry()
6 phileo/
@@ -1,7 +1,7 @@
from django.contrib.auth.decorators import login_required
from django.contrib.contenttypes.models import ContentType
-from django.http import HttpResponse
+from django.http import HttpResponse, HttpResponseForbidden
from django.utils import simplejson as json
from django.shortcuts import get_object_or_404, redirect
from django.views.decorators.http import require_POST
@@ -9,11 +9,15 @@
from phileo.models import Like
from phileo.signals import object_liked, object_unliked
+from phileo.handlers import library
def like_toggle(request, content_type_id, object_id):
content_type = get_object_or_404(ContentType, pk=content_type_id)
+ if not library.is_registered(content_type.model_class):
+ return HttpResponseForbidden()
like, created = Like.objects.get_or_create(
sender = request.user,
Something went wrong with that request. Please try again.