plug up some websocket security holes
This commit is contained in:
parent
05a618a15f
commit
48c307778e
|
@ -25,6 +25,9 @@ def message(socket, data):
|
|||
"""
|
||||
message = data.get('message')
|
||||
|
||||
if not all(locals().values()):
|
||||
return
|
||||
|
||||
# cleaning
|
||||
message = message[:512]
|
||||
message = message.strip()
|
||||
|
@ -153,12 +156,15 @@ def text_post(socket, data):
|
|||
"""
|
||||
quest = Quest.objects.get(id=socket.quest_id)
|
||||
user = socket.scope['user']
|
||||
if quest.owner != user:
|
||||
return # error message?
|
||||
if quest.owner != user: # 401 not allowed
|
||||
return
|
||||
|
||||
post_text = data.get('text')
|
||||
page_num = data.get('page_num')
|
||||
|
||||
if not all(locals().values()):
|
||||
return
|
||||
|
||||
try:
|
||||
page = Page.objects.get(quest=quest, page_num=page_num)
|
||||
except Page.DoesNotExist:
|
||||
|
@ -207,8 +213,8 @@ def dice_post(socket, data):
|
|||
"""
|
||||
quest = Quest.objects.get(id=socket.quest_id)
|
||||
user = socket.scope['user']
|
||||
if quest.owner != user:
|
||||
return # error message?
|
||||
if quest.owner != user: # 401 not allowed
|
||||
return
|
||||
|
||||
page_num = data.get('page_num')
|
||||
try:
|
||||
|
@ -218,7 +224,8 @@ def dice_post(socket, data):
|
|||
|
||||
form = DiceCallForm(data)
|
||||
if not form.is_valid():
|
||||
return # error message?
|
||||
# TODO: error message event
|
||||
return
|
||||
form = form.cleaned_data
|
||||
|
||||
posts = Post.objects.filter(
|
||||
|
@ -288,8 +295,8 @@ def poll_post(socket, data):
|
|||
"""
|
||||
quest = Quest.objects.get(id=socket.quest_id)
|
||||
user = socket.scope['user']
|
||||
if quest.owner != user:
|
||||
return # error message?
|
||||
if quest.owner != user: # 401 not allowed
|
||||
return
|
||||
|
||||
page_num = data.get('page_num')
|
||||
try:
|
||||
|
@ -358,12 +365,15 @@ def edit_post(socket, data):
|
|||
"""
|
||||
quest = Quest.objects.get(id=socket.quest_id)
|
||||
user = socket.scope['user']
|
||||
if quest.owner != user:
|
||||
return # error message?
|
||||
if quest.owner != user: # 401 not allowed
|
||||
return
|
||||
|
||||
post_id = data.get('post_id')
|
||||
post_text = data.get('post_text')
|
||||
|
||||
if not all(locals().values()):
|
||||
return
|
||||
|
||||
try:
|
||||
p = Post.objects.get(id=post_id)
|
||||
except Post.DoesNotExist:
|
||||
|
@ -392,8 +402,8 @@ def close_post(socket, data):
|
|||
"""
|
||||
quest = Quest.objects.get(id=socket.quest_id)
|
||||
user = socket.scope['user']
|
||||
if quest.owner != user:
|
||||
return # error message?
|
||||
if quest.owner != user: # 401 not allowed
|
||||
return
|
||||
|
||||
post_id = data.get('post_id')
|
||||
try:
|
||||
|
@ -419,8 +429,8 @@ def open_post(socket, data):
|
|||
"""
|
||||
quest = Quest.objects.get(id=socket.quest_id)
|
||||
user = socket.scope['user']
|
||||
if quest.owner != user:
|
||||
return # error message?
|
||||
if quest.owner != user: # 401 not allowed
|
||||
return
|
||||
|
||||
post_id = data.get('post_id')
|
||||
try:
|
||||
|
@ -456,12 +466,15 @@ def new_page(socket, data):
|
|||
"""
|
||||
quest = Quest.objects.get(id=socket.quest_id)
|
||||
user = socket.scope['user']
|
||||
if quest.owner != user:
|
||||
return # error message?
|
||||
if quest.owner != user: # 401 not allowed
|
||||
return
|
||||
|
||||
title = data.get('page_title')
|
||||
appendix = bool(data.get('appendix'))
|
||||
|
||||
if not all(locals().values()):
|
||||
return
|
||||
|
||||
if appendix:
|
||||
page = Page.objects.filter(
|
||||
quest=quest,
|
||||
|
@ -521,23 +534,33 @@ def vote(socket, data):
|
|||
ip_address = socket.scope['client'][0]
|
||||
user = socket.scope['user']
|
||||
|
||||
if polarity == False:
|
||||
if not all(locals().values()):
|
||||
return
|
||||
|
||||
try:
|
||||
v = PollVote.objects.get(
|
||||
p = Poll.objects.get(post_id=post_id)
|
||||
except Poll.DoesNotExist:
|
||||
return
|
||||
|
||||
if not p.open:
|
||||
return
|
||||
|
||||
if polarity == False: # player removes his vote
|
||||
try:
|
||||
pv = PollVote.objects.get(
|
||||
ip_address=ip_address,
|
||||
option__id=option_id
|
||||
)
|
||||
except PollVote.DoesNotExist:
|
||||
return
|
||||
v.delete()
|
||||
else:
|
||||
pv.delete()
|
||||
else: # player makes a new vote
|
||||
try:
|
||||
p = Poll.objects.get(post_id=post_id)
|
||||
option = PollOption.objects.get(id=option_id)
|
||||
except (Poll.DoesNotExist, PollOption.DoesNotExist):
|
||||
except PollOption.DoesNotExist:
|
||||
return
|
||||
pvs = PollVote.objects.filter(option=option, ip_address=ip_address)
|
||||
if pvs.count() != 0:
|
||||
if pvs.count() != 0: # if player has voted for this option already
|
||||
return
|
||||
|
||||
if p.multi_choice == False:
|
||||
|
@ -572,20 +595,26 @@ def write_in(socket, data):
|
|||
Called when a player creates a new write-in.
|
||||
"""
|
||||
post_id = data.get('post_id')
|
||||
option_text = data.get('option_text', '')
|
||||
option_text = data.get('option_text')
|
||||
user = socket.scope['user']
|
||||
|
||||
if not all(locals().values()):
|
||||
return
|
||||
|
||||
try:
|
||||
p = Poll.objects.get(post_id=post_id)
|
||||
except Poll.DoesNotExist:
|
||||
return
|
||||
|
||||
if not p.allow_writein:
|
||||
return
|
||||
|
||||
option_text = option_text.strip()
|
||||
if not option_text:
|
||||
return
|
||||
option_text = "Write-in: " + bleach.clean(option_text)
|
||||
if len(option_text) > 200:
|
||||
# error message?
|
||||
# TODO: error message event
|
||||
return
|
||||
o = PollOption(
|
||||
poll=p,
|
||||
|
|
|
@ -187,7 +187,7 @@ function submitWritein(post_id) {
|
|||
let option_text = writeinInput.value;
|
||||
writeinInput.value = '';
|
||||
if (!option_text) { return; }
|
||||
socket.send('write_in', {option_text: option_text, post_id: post_id});
|
||||
socket.send('write_in', {post_id: post_id, option_text: option_text});
|
||||
}
|
||||
|
||||
/* Helpers */
|
||||
|
|
Loading…
Reference in New Issue
Block a user