balfroim / opendata Goto Github PK
View Code? Open in Web Editor NEWLicense: Other
License: Other
Merging the my_profile
view with the profile
view introduced a security issue. Indeed, anyone can submit a POST form to any given user to modify its profile.
Concerned code (user.views:41-64) :
def profile(request, username):
user = get_object_or_404(User, username=username)
if request.method == 'POST':
form = ProfileForm(request.POST, instance=user.profile)
if form.is_valid():
form.save()
return redirect('profile', username=username)
else:
form = ProfileForm(instance=user.profile)
last_badges = user.badges_earned.order_by('-awarded_at')[:10]
last_contents = Content.objects.filter(author=user.profile).order_by('-posted_at')[:5]
return render(request, 'profile.html', {
'profile': user.profile,
'last_badges': last_badges,
'last_contents': last_contents,
'form': form
})
def my_profile(request):
return redirect('profile', username=request.user.username)
As the username is fetched from the URL path and is not (necessarily) the authenticated one, any POST request will succeed.
A proper way to fix it is to use request.user
instead of user
. I also think that form
should be None
when rendering another user's profile page (even if that won't fix the issue).
If a theme is marked as hidden
, its page ('/data/theme/{id}') and all of its datasets ('/data/dataset/{id}') are still publicly available.
Furthermore, hidden datasets that are linked to a keyword are shown in search results and in the recommended datasets modal.
Hidden themes are present in the database and are not filtered by every query.
Fixing every SQL query atomically by hand may not be an ideal solution; I think the model should take care of that directly at the root (I'm not sure how though, maybe by using a custom Manager
?).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.