matthias/mayan-edms
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Close possible security hole by not trusting user input when saving smart link conditions

Browse Source
This commit is contained in:
Roberto Rosario
2011-11-19 01:06:34 -04:00
parent d422dfaa1a
commit d358bd991a
2 changed files with 5 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
apps/grouping/forms.py
View File

@@ -19,10 +19,7 @@ class SmartLinkForm(forms.ModelForm):
class SmartLinkConditionForm(forms.ModelForm):
class Meta:
model = DocumentGroupItem
def __init__(self, *args, **kwargs):
super(DocumentGroupItemForm, self).__init__(*args, **kwargs)
self.fields['document_group'].widget = forms.HiddenInput()
exclude = ('document_group',)
class SmartLinkImageWidget(forms.widgets.Widget):

6
apps/grouping/views.py
View File

@@ -235,8 +235,10 @@ def smart_link_condition_edit(request, smart_link_condition_pk):
if request.method == 'POST':
form = SmartLinkConditionForm(request.POST, instance=smart_link_condition)
if form.is_valid():
smart_link_condition = form.save()
messages.success(request, _(u'Smart link condition: "%s" created successfully.') % smart_link_condition)
new_smart_link_condition = form.save(commit=False)
new_smart_link_condition.document_group = smart_link_condition.document_group
new_smart_link_condition.save()
messages.success(request, _(u'Smart link condition: "%s" edited successfully.') % smart_link_condition)
return HttpResponseRedirect(next)
else:
form = SmartLinkConditionForm(instance=smart_link_condition)