From d358bd991a19eb7acf5f2fdae56676f2d32193a0 Mon Sep 17 00:00:00 2001 From: Roberto Rosario Date: Sat, 19 Nov 2011 01:06:34 -0400 Subject: [PATCH] Close possible security hole by not trusting user input when saving smart link conditions --- apps/grouping/forms.py | 5 +---- apps/grouping/views.py | 6 ++++-- 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/apps/grouping/forms.py b/apps/grouping/forms.py index 506b20ee6d..12b41ce1c3 100644 --- a/apps/grouping/forms.py +++ b/apps/grouping/forms.py @@ -19,10 +19,7 @@ class SmartLinkForm(forms.ModelForm): class SmartLinkConditionForm(forms.ModelForm): class Meta: model = DocumentGroupItem - - def __init__(self, *args, **kwargs): - super(DocumentGroupItemForm, self).__init__(*args, **kwargs) - self.fields['document_group'].widget = forms.HiddenInput() + exclude = ('document_group',) class SmartLinkImageWidget(forms.widgets.Widget): diff --git a/apps/grouping/views.py b/apps/grouping/views.py index e6085b9d4f..9f1ec13262 100644 --- a/apps/grouping/views.py +++ b/apps/grouping/views.py @@ -235,8 +235,10 @@ def smart_link_condition_edit(request, smart_link_condition_pk): if request.method == 'POST': form = SmartLinkConditionForm(request.POST, instance=smart_link_condition) if form.is_valid(): - smart_link_condition = form.save() - messages.success(request, _(u'Smart link condition: "%s" created successfully.') % smart_link_condition) + new_smart_link_condition = form.save(commit=False) + new_smart_link_condition.document_group = smart_link_condition.document_group + new_smart_link_condition.save() + messages.success(request, _(u'Smart link condition: "%s" edited successfully.') % smart_link_condition) return HttpResponseRedirect(next) else: form = SmartLinkConditionForm(instance=smart_link_condition)