Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Likeable models must be registered with phileo first

  • Loading branch information...
commit babdfb36c0709d4a29e38bfc058926dbf51d108e 1 parent eb56d27
@timheap authored
View
1  .gitignore
@@ -0,0 +1 @@
+*.pyc
View
7 docs/changelog.rst
@@ -3,6 +3,13 @@
ChangeLog
=========
+0.3
+---
+- Likeable models need to be registered in Phileo. This prevents users from liking
+ anything and everything, which could potentially lead to security problems (eg. liking
+ entries in permission tables, and thus seeing their content; liking administrative
+ users and thus getting their username).
+
0.2
---
View
23 docs/usage.rst
@@ -3,8 +3,25 @@
Usage
=====
-Phileo consists of template tags that you place within your project
-to get different "liking" functionality.
+In your models
+--------------
+
+You need to register the models that will be 'likeable' with phileo, before
+you use phileo in templates::
+
+ # in models.py
+ from phileo.handlers import library as phileo_library
+
+ # Define your models ...
+
+ # Register a single model
+ phileo_library.register(Post)
+
+ # Register a bunch of models at once
+ phileo_library.register([Page, Entry, Comment, Photo])
+
+In the views
+------------
Let's say you have a detail page for a blog post. First you will want
to load the tags::
@@ -27,4 +44,4 @@ Then at the bottom of your page where include your javascript::
{% likes_js request.user post %}
-That's all you need to do to get the basics working.
+That's all you need to do to get the basics working.
View
19 phileo/handlers.py
@@ -0,0 +1,19 @@
+from django.db.models.base import ModelBase
+
+class Registry(object):
+ def __init__(self):
+ self._registry = []
+
+ def register(self, models):
+
+ if isinstance(models, ModelBase):
+ models = [models]
+
+ for model in models:
+ self._registry.append(model)
+
+ def is_registered(self, model):
+ return not (model in self._registry)
+
+library = Registry()
+
View
6 phileo/views.py
@@ -1,7 +1,7 @@
from django.contrib.auth.decorators import login_required
from django.contrib.contenttypes.models import ContentType
-from django.http import HttpResponse
+from django.http import HttpResponse, HttpResponseForbidden
from django.utils import simplejson as json
from django.shortcuts import get_object_or_404, redirect
from django.views.decorators.http import require_POST
@@ -9,11 +9,15 @@
from phileo.models import Like
from phileo.signals import object_liked, object_unliked
+from phileo.handlers import library
+
@require_POST
@login_required
def like_toggle(request, content_type_id, object_id):
content_type = get_object_or_404(ContentType, pk=content_type_id)
+ if not library.is_registered(content_type.model_class):
+ return HttpResponseForbidden()
like, created = Like.objects.get_or_create(
sender = request.user,
Please sign in to comment.
Something went wrong with that request. Please try again.