From 3ca6595fe648d6e354bcdbb2c5142951bebaa97a Mon Sep 17 00:00:00 2001 From: Roberto Rosario Date: Fri, 17 Aug 2018 04:16:06 -0400 Subject: [PATCH] Tags app: Add explicit post action redirect for the tag attach and tag remove actions when working on a single document. Signed-off-by: Roberto Rosario --- HISTORY.rst | 4 +- docs/releases/3.0.3.rst | 79 ++++++++++++++++++++++++++++++++++++++++ docs/releases/index.rst | 1 + mayan/apps/tags/views.py | 16 +++++++- 4 files changed, 98 insertions(+), 2 deletions(-) create mode 100644 docs/releases/3.0.3.rst diff --git a/HISTORY.rst b/HISTORY.rst index 007d11dd82..6f6ecdf91d 100644 --- a/HISTORY.rst +++ b/HISTORY.rst @@ -1,8 +1,10 @@ 3.0.3 (2018-08-17) ================== -- Add explicit casting of escaped tag labels to prevent exploit +- Tags app: Add explicit casting of escaped tag labels to prevent exploit of cross site scripting. Thanks to Lokesh (@lokesh1095) for the report and proposed solutions. Closes GitLab issue #496. +- Tags app: Add explicit post action redirect for the tag attach and + tag remove actions when working on a single document. 3.0.2 (2018-08-16) ================== diff --git a/docs/releases/3.0.3.rst b/docs/releases/3.0.3.rst new file mode 100644 index 0000000000..5338d24251 --- /dev/null +++ b/docs/releases/3.0.3.rst @@ -0,0 +1,79 @@ +=============================== +Mayan EDMS v3.0.3 release notes +=============================== + +Released: August 17, 2018 + +What's new +========== + +Program code +------------ +- Tags app: Add explicit post action redirect for the tag attach and + tag remove actions when working on a single document. + +Security +-------- +- Tags app: Add explicit casting of escaped tag labels to prevent exploit + of cross site scripting. Thanks to Lokesh (@lokesh1095) for + the report and proposed solutions. Closes GitLab issue #496. + +Removals +-------- +- None + +Upgrading from a previous version +--------------------------------- + + +Using PIP +~~~~~~~~~ + +Type in the console:: + + $ pip install mayan-edms==3.0.3 + +the requirements will also be updated automatically. + + +Using Git +~~~~~~~~~ + +If you installed Mayan EDMS by cloning the Git repository issue the commands:: + + $ git reset --hard HEAD + $ git pull + +otherwise download the compressed archived and uncompress it overriding the +existing installation. + +Next upgrade/add the new requirements:: + + $ pip install --upgrade -r requirements.txt + + +Common steps +~~~~~~~~~~~~ + +Migrate existing database schema with:: + + $ mayan-edms.py performupgrade + +Add new static media:: + + $ mayan-edms.py collectstatic --noinput + +The upgrade procedure is now complete. + + +Backward incompatible changes +============================= + +* None + +Bugs fixed or issues closed +=========================== + +* `GitLab issue #496 `_ Persistent Cross Site Scripting + +.. _PyPI: https://pypi.python.org/pypi/mayan-edms/ diff --git a/docs/releases/index.rst b/docs/releases/index.rst index a2950d1a0e..305270f0e6 100644 --- a/docs/releases/index.rst +++ b/docs/releases/index.rst @@ -22,6 +22,7 @@ versions of the documentation contain the release notes for any later releases. .. toctree:: :maxdepth: 1 + 3.0.3 3.0.2 3.0.1 3.0 diff --git a/mayan/apps/tags/views.py b/mayan/apps/tags/views.py index d079894989..a03514a4c7 100644 --- a/mayan/apps/tags/views.py +++ b/mayan/apps/tags/views.py @@ -3,7 +3,7 @@ from __future__ import absolute_import, unicode_literals import logging from django.contrib import messages -from django.shortcuts import get_object_or_404 +from django.shortcuts import get_object_or_404, reverse from django.urls import reverse_lazy from django.utils.translation import ugettext_lazy as _, ungettext @@ -77,6 +77,13 @@ class TagAttachActionView(MultipleObjectFormActionView): return result + def get_post_action_redirect(self): + queryset = self.get_queryset() + if queryset.count() == 1: + return reverse('tags:document_tags', args=(queryset.first().pk,)) + else: + return super(TagAttachActionView, self).get_post_action_redirect() + def object_action(self, form, instance): attached_tags = instance.attached_tags() @@ -291,6 +298,13 @@ class TagRemoveActionView(MultipleObjectFormActionView): return result + def get_post_action_redirect(self): + queryset = self.get_queryset() + if queryset.count() == 1: + return reverse('tags:document_tags', args=(queryset.first().pk,)) + else: + return super(TagRemoveActionView, self).get_post_action_redirect() + def object_action(self, form, instance): attached_tags = instance.attached_tags()