From 4a6c6d49ef31e92ec4cdb1b396c5650861e6787d Mon Sep 17 00:00:00 2001 From: MaM Web user Date: Tue, 7 Sep 2021 17:23:54 +0200 Subject: [PATCH] =?UTF-8?q?Sensitivn=C3=AD=20POST=20parametry=20by=20se=20?= =?UTF-8?q?nem=C4=9Bly=20pos=C3=ADlat=20mailem?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- seminar/views/views_all.py | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/seminar/views/views_all.py b/seminar/views/views_all.py index c72dafcf..3837c95e 100644 --- a/seminar/views/views_all.py +++ b/seminar/views/views_all.py @@ -12,6 +12,7 @@ from django.utils.translation import ugettext as _ from django.http import Http404,HttpResponseBadRequest,HttpResponseRedirect from django.db.models import Q, Sum, Count from django.views.decorators.csrf import ensure_csrf_cookie +from django.views.decorators.debug import sensitive_post_parameters from django.views.generic.edit import FormView, CreateView from django.views.generic.base import TemplateView, RedirectView from django.contrib.auth import authenticate, login, get_user_model, logout @@ -1133,6 +1134,7 @@ def prihlaska_log_gdpr_safe(logger, gdpr_logger, msg, form_data): gdpr_logger.warn(msg+", form:{}".format(form_data)) from django.forms.models import model_to_dict +@sensitive_post_parameters('jmeno', 'prijmeni', 'email', 'telefon', 'datum_narozeni', 'ulice', 'mesto', 'psc', 'skola') def resitelEditView(request): err_logger = logging.getLogger('seminar.prihlaska.problem') ## Načtení objektů Osoba a Resitel patřících k aktuálně přihlášenému uživateli @@ -1207,6 +1209,7 @@ def resitelEditView(request): return render(request, 'seminar/profil/edit.html', {'form': form}) +@sensitive_post_parameters('jmeno', 'prijmeni', 'email', 'telefon', 'datum_narozeni', 'ulice', 'mesto', 'psc', 'skola') def prihlaskaView(request): generic_logger = logging.getLogger('seminar.prihlaska') err_logger = logging.getLogger('seminar.prihlaska.problem') @@ -1360,16 +1363,20 @@ Tento e-mail byl vygenerován automaticky, chceš-li nás kontaktovat, napiš n return render(request, 'seminar/profil/prihlaska.html', {'form': form}) # FIXME: Tohle asi vlastně vůbec nepatří do aplikace 'seminar' +@sensitive_post_parameters('password') class LoginView(auth_views.LoginView): # Jen vezmeme vestavěný a dáme mu vhodný template a přesměrovací URL template_name = 'seminar/profil/login.html' +@sensitive_post_parameters('password') class LogoutView(auth_views.LogoutView): # Jen vezmeme vestavěný a dáme mu vhodný template a přesměrovací URL template_name = 'seminar/profil/logout.html' # Pavel: Vůbec nevím, proč to s _lazy funguje, ale bez toho to bylo rozbité. next_page = reverse_lazy('titulni_strana') +# Nejsem si jistý, který view co dostává, tak zahazuji všechny POSTy +@sensitive_post_parameters() class PasswordResetView(auth_views.PasswordResetView): """ Chci resetovat heslo. """ template_name = 'seminar/registrace/reset_hesla.html' @@ -1378,19 +1385,23 @@ class PasswordResetView(auth_views.PasswordResetView): email_template_name = 'seminar/registrace/password_reset_email.html' subject_template_name = 'seminar/registrace/password_reset_subject.txt' +@sensitive_post_parameters() class PasswordResetDoneView(auth_views.PasswordResetDoneView): """ Poslali jsme e-mail (pokud bylo kam)). """ template_name = 'seminar/registrace/reset_poslan.html' +@sensitive_post_parameters() class PasswordResetConfirmView(auth_views.PasswordResetConfirmView): """ Vymysli si heslo. """ template_name = 'seminar/registrace/nove_heslo.html' success_url = reverse_lazy('reset_password_complete') +@sensitive_post_parameters() class PasswordResetCompleteView(auth_views.PasswordResetCompleteView): """ Heslo se asi změnilo.""" template_name = 'seminar/registrace/nove_nastaveno.html' +@sensitive_post_parameters() class PasswordChangeView(auth_views.PasswordChangeView): #template_name = 'seminar/password_change.html' success_url = reverse_lazy('titulni_strana')