From 6c313b9278ae1c9cb270a0b47042c17a05ad35d5 Mon Sep 17 00:00:00 2001 From: Andrey Date: Wed, 15 Mar 2017 15:57:30 +0300 Subject: [PATCH] docs: closed number of major security holes in ajax [fix] --- project/docs/views/ajax.py | 23 +++++++++++++++++------ 1 file changed, 17 insertions(+), 6 deletions(-) diff --git a/project/docs/views/ajax.py b/project/docs/views/ajax.py index 048f5e7..bd4a767 100644 --- a/project/docs/views/ajax.py +++ b/project/docs/views/ajax.py @@ -34,10 +34,11 @@ def get_invoices(request, client_id=None): raise_if_no_profile(request) + invoices = Invoice.objects.get_all(request.user.profile) + if client_id: - invoices = Invoice.objects.filter(client__id=client_id) - else: - invoices = Invoice.objects.filter(company=request.user.profile) + invoices = invoices.filter(client_id=client_id) + invoices = {invoice.id: '№ %s от %s' % (invoice.doc_num, invoice.doc_date) for invoice in invoices} return HttpResponse(json.dumps(invoices), mimetype='application/json') @@ -47,7 +48,9 @@ def get_tbl_items(request, invoice_id): if not request.is_ajax(): return HttpResponseBadRequest() - invoice = Invoice.objects.get(pk=invoice_id) + raise_if_no_profile(request) + + invoice = Invoice.objects.get(company=request.user.profile, pk=invoice_id) data = serializers.serialize('json', invoice.invoice_items.all()) return HttpResponse(json.dumps(data), mimetype='application/json') @@ -57,7 +60,9 @@ def get_client_by_invoice(request, invoice_id): if not request.is_ajax(): return HttpResponseBadRequest() - invoice = Invoice.objects.get(pk=invoice_id) + raise_if_no_profile(request) + + invoice = Invoice.objects.get(company=request.user.profile, pk=invoice_id) return HttpResponse(json.dumps([invoice.client.id, invoice.client.name]), mimetype='application/json') @@ -66,18 +71,24 @@ def toggle_doc_status(request, doc_type, doc_id, doc_attr): if not request.is_ajax() or request.method != 'POST': return HttpResponseBadRequest() + raise_if_no_profile(request) + model_ = get_model('docs', doc_type) - doc = model_.objects.get(pk=doc_id) + doc = model_.objects.get(company=request.user.profile, pk=doc_id) + choices_ = doc._meta.get_field_by_name(doc_attr)[0].get_choices() choices = [i[0] for i in choices_[1:]] prev_val = getattr(doc, doc_attr) + try: next_index = choices.index(prev_val) + 1 next_val = choices[next_index] except: next_val = choices[0] + setattr(doc, doc_attr, next_val) doc.save() + next_text = dict(choices_)[next_val] return HttpResponse(json.dumps([next_text, next_val]), mimetype='application/json')