Merge branch 'sensitive_vars' into 'release/1.1.0'

Hide sensitive vars, fix crash whoops. See merge request !270

Merge branch 'sensitive_vars' into 'release/1.1.0'
Hide sensitive vars, fix crash whoops. See merge request !270
ecc78651 · Thom Wiggers · 6069cc59 · 1ae37b89 · ecc78651 · ecc78651
Commit ecc78651 authored Dec 19, 2016 by Thom Wiggers 📐
--- a/website/thaliapp/views.py
+++ b/website/thaliapp/views.py
@@ -6,6 +6,8 @@ from django.views.decorators.http import require_POST
 from django.contrib.auth import authenticate
 from django.contrib.staticfiles.finders import find as find_static_file
 from django.core.cache import cache
+from django.views.decorators.debug import (sensitive_variables,
+                                           sensitive_post_parameters)
 from thaliapp.models import Token
 from hashlib import sha256
 import base64
@@ -27,6 +29,8 @@ def get_photo(user):
    return photo


+@sensitive_post_parameters()
+@sensitive_variables('user', 'password', 'token')
 @csrf_exempt
 @require_POST
 def login(request):
@@ -50,9 +54,11 @@ def login(request):
                             })
    return JsonResponse({'status': 'error',
                         'msg': 'Authentication Failed'},
-                        status_code=403)
+                        status=403)


+@sensitive_post_parameters()
+@sensitive_variables('username', 'token')
 @csrf_exempt
 @require_POST
 def app(request):
@@ -67,7 +73,7 @@ def app(request):
    if user is None:
        return JsonResponse({'status': 'error',
                            'msg': 'Authentication Failed'},
-                            status_code=403)
+                            status=403)
    today = datetime.date.today()
    eightteen_years_ago = today.replace(year=today.year - 18)
    over18 = str(user.member.birthday <= eightteen_years_ago)
@@ -89,6 +95,8 @@ def app(request):
                         })


+@sensitive_post_parameters()
+@sensitive_variables('username', 'token')
 @csrf_exempt
 @require_POST
 def scan(request):
@@ -102,6 +110,6 @@ def scan(request):
    if user is None:
        return JsonResponse({'status': 'error',
                            'msg': 'Authentication Failed'},
-                            status_code=403)
+                            status=403)
    cache.set(''.join([qrtoken]), user, 300)
    return JsonResponse({'status': 'ok'})
--- a/website/thaliawebsite/views.py
+++ b/website/thaliawebsite/views.py
@@ -8,6 +8,8 @@ from django.shortcuts import render
 from django.utils import timezone
 from django.views.decorators.csrf import csrf_exempt
 from django.views.decorators.http import require_POST
+from django.views.decorators.debug import (sensitive_variables,
+                                           sensitive_post_parameters)

 from members.models import Member

@@ -17,6 +19,8 @@ def styleguide(request):
    return render(request, 'singlepages/styleguide.html')


+@sensitive_variables()
+@sensitive_post_parameters()
 @require_POST
 @csrf_exempt
 def wiki_login(request):
@@ -50,7 +54,7 @@ def wiki_login(request):
                             'committees': memberships})
    return JsonResponse({'status': 'error',
                         'msg': 'Authentication Failed'},
-                        status_code=403)
+                        status=403)


 @staff_member_required