Likeable models must be registered with phileo first

mx-moth · Nov 28, 2011 · babdfb3 · babdfb3
1 parent eb56d27
commit babdfb3
Show file tree

Hide file tree

Showing 5 changed files with 52 additions and 4 deletions.
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+*.pyc
diff --git a/docs/changelog.rst b/docs/changelog.rst
@@ -3,6 +3,13 @@
 ChangeLog
 =========
 
+0.3
+---
+- Likeable models need to be registered in Phileo. This prevents users from liking
+  anything and everything, which could potentially lead to security problems (eg. liking
+  entries in permission tables, and thus seeing their content; liking administrative
+  users and thus getting their username).
+
 0.2
 ---
 

diff --git a/docs/usage.rst b/docs/usage.rst
@@ -3,8 +3,25 @@
 Usage
 =====
 
-Phileo consists of template tags that you place within your project
-to get different "liking" functionality.
+In your models
+--------------
+
+You need to register the models that will be 'likeable' with phileo, before
+you use phileo in templates::
+
+    # in models.py
+    from phileo.handlers import library as phileo_library
+
+    # Define your models ...
+
+    # Register a single model
+    phileo_library.register(Post)
+
+    # Register a bunch of models at once
+    phileo_library.register([Page, Entry, Comment, Photo])
+
+In the views
+------------
 
 Let's say you have a detail page for a blog post. First you will want
 to load the tags::
@@ -27,4 +44,4 @@ Then at the bottom of your page where include your javascript::
     {% likes_js request.user post %}
 
 
-That's all you need to do to get the basics working.
+That's all you need to do to get the basics working.
diff --git a/phileo/handlers.py b/phileo/handlers.py
@@ -0,0 +1,19 @@
+from django.db.models.base import ModelBase
+
+class Registry(object):
+    def __init__(self):
+        self._registry = []
+
+    def register(self, models):
+
+        if isinstance(models, ModelBase):
+            models = [models]
+
+        for model in models:
+            self._registry.append(model)
+
+    def is_registered(self, model):
+        return not (model in self._registry)
+
+library = Registry()
+
diff --git a/phileo/views.py b/phileo/views.py
@@ -1,19 +1,23 @@
 from django.contrib.auth.decorators import login_required
 from django.contrib.contenttypes.models import ContentType
 
-from django.http import HttpResponse
+from django.http import HttpResponse, HttpResponseForbidden
 from django.utils import simplejson as json
 from django.shortcuts import get_object_or_404, redirect
 from django.views.decorators.http import require_POST
 
 from phileo.models import Like
 from phileo.signals import object_liked, object_unliked
 
+from phileo.handlers import library
+
 
 @require_POST
 @login_required
 def like_toggle(request, content_type_id, object_id):
     content_type = get_object_or_404(ContentType, pk=content_type_id)
+    if not library.is_registered(content_type.model_class):
+        return HttpResponseForbidden()
 
     like, created = Like.objects.get_or_create(
         sender = request.user,