-
Notifications
You must be signed in to change notification settings - Fork 348
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix: Ballot return to url via url params rather than session (#7788)
* fix: #7287 ballot return params * fix: Moving Ballot edit position ballot_edit_return_point from session to query param * fix: tests for return_to_path param * chore: removing Playwright tests until we can figure out a plan * feat: return_to path utility refactoring * fix: throw HTTP 400 in view rather than bubbling up a 500 * fix: return http400 rather than raising
- Loading branch information
Showing
8 changed files
with
91 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,10 +1,34 @@ | ||
# Copyright The IETF Trust 2023, All Rights Reserved | ||
# Copyright The IETF Trust 2023-2024, All Rights Reserved | ||
# -*- coding: utf-8 -*- | ||
|
||
from django.urls import resolve as urlresolve, Resolver404 | ||
|
||
def is_ajax(request): | ||
"""Checks whether a request was an AJAX call | ||
See https://docs.djangoproject.com/en/3.1/releases/3.1/#id2 - this implements the | ||
exact reproduction of the deprecated method suggested there. | ||
""" | ||
return request.headers.get("x-requested-with") == "XMLHttpRequest" | ||
|
||
def validate_return_to_path(path, get_default_path, allowed_path_handlers): | ||
if path is None: | ||
path = get_default_path() | ||
|
||
# we need to ensure the path isn't used for attacks (eg phishing). | ||
# `path` can be used in HttpResponseRedirect() which could redirect to Datatracker or offsite. | ||
# Eg http://datatracker.ietf.org/...?ballot_edit_return_point=https://example.com/phish | ||
# offsite links could be phishing attempts so let's reject them all, and require valid Datatracker | ||
# routes | ||
try: | ||
# urlresolve will throw if the url doesn't match a route known to Django | ||
match = urlresolve(path) | ||
# further restrict by whether it's in the list of valid routes to prevent | ||
# (eg) redirecting to logout | ||
if match.url_name not in allowed_path_handlers: | ||
raise ValueError("Invalid return to path not among valid matches") | ||
pass | ||
except Resolver404: | ||
raise ValueError("Invalid return to path doesn't match a route") | ||
|
||
return path |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters