kamandprompt / car-pool Goto Github PK

Banner looks unappealing and consumes a lot of space. Remove it.

The email id used currently in proj/settings.py has been blocked. Create a new one and keeps its id password out of the main files (preferably create a json file) and add the json file to gitignore, so that no one has access to that email id.. and only admins know it.

Currently, the user adds a new ride and it creates a new Pool object which is stored in DB. However the user doesn't fetch any confirmation that his/her submission was successful or not. Redirect the user to the home page, and showcase a temporary alert mentioning that the submission was successful.

As this has to be made production ready, remove all instances which shows that this was made for a hackathon

right now if a person unticks paid trip(that is when a ride is added) the search doesn't output this trip if free is not ticked on the dashboard which actually should have been shown. What is meant that free tickde should show only those rides which have amount 0(even if adder clicked paid and then kept the amount as 0). otherwise all possible options of the day should be shown.

The project used a Gmail SMTP server which needs to be updated now. We can use the free tier of some services like SendGrid.

The code for configuring the SMTP server can be found here:

👋 Hello, @Varunvaruns9, @vsvipul, @dependabot[bot] - a potential high severity Insufficiently Protected Credentials (CWE-522) vulnerability in your repository has been disclosed to us.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-KamandPrompt/Car-Pool for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community - whoever fixes it gets paid.

✏️ NOTE: If we don't hear from you in 14 days, we will proactively source a fix for this vulnerability (and open a PR) to ensure community safety.

Confused or need more help?

• Join us on our Discord and a member of our team will be happy to help! 🤗

• Speak to a member of our team: @JamieSlome

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.

Problem

Currently, these are the problems with validation of pool form:

• Seats can be assigned zero and negative values.
• User can select any past datetime values.
• Source and Destination can be same.
• Unpaid trips store the amount in database(if the paid box is unchecked, then the amount stored in database should be 0)
• Amount on paid trips cannot be negative

Solution

We can override the default form.clean() method on class PoolForm() and make a custom clean method.

    def clean(self):
        cleaned_data = super(PoolForm,self).clean()
        
        if cleaned_data.get('tot') <= 0:
            raise forms.ValidationError("There should be atleast 1 seats")
            
        if datetime.strptime(cleaned_data.get('dateTime'),"%Y-%m-%d %H:%M") <= datetime.now():
            raise forms.ValidationError("Selected DateTime has passed. Please select a valid date.")

        if cleaned_data.get('source') == cleaned_data.get('dest'):
            raise forms.ValidationError("Source and Destination should be different") 
        
        if cleaned_data.get('paid') == False:
            self.cleaned_data['amount']=0
        else :
            if cleaned_data.get('amount') < 0:
                raise forms.ValidationError("Amount should be positive")

        
        return cleaned_data

@dipanshu231099 Please review this issue and its solution

Currently, we have to use 3 drop-downs in filter ride,

and give the date and time in specified format in Add Ride form,

Instead we would want to have a calendar widget send the data to backend in the required format.

Currently the filter UI doesn't look like any standard filter you would find online. We should either make it a single line form or hide it under the name "Filters" unless someone clicks on it.

Add Ride and Filter forms currently don't have any proper error display container. We should add required error messages and display them if they are encountered.

Currently, we only show a text message telling the user that his account has been confirmed. Add a properly styled page with a link to the original website.