Commit f15bece1 authored by Sébastiaan Versteeg's avatar Sébastiaan Versteeg Committed by Thom Wiggers
Browse files

Fix next url in events registrations admin

parent fb7a15ef
# -*- coding: utf-8 -*-
"""Registers admin interfaces for the events module"""
from django.contrib import admin
from django.core.exceptions import DisallowedRedirect
from django.db.models import Max, Min
from django.http import HttpResponseRedirect
from django.template.defaultfilters import date as _date
......@@ -22,10 +23,15 @@ from . import forms, models
def _do_next(request, response):
"""See DoNextModelAdmin"""
if 'next' in request.GET and is_safe_url(request.GET['next']):
return HttpResponseRedirect(request.GET['next'])
else:
return response
if 'next' in request.GET:
if not is_safe_url(request.GET['next']):
raise DisallowedRedirect
elif '_save' in request.POST:
return HttpResponseRedirect(request.GET['next'])
elif response is not None:
return HttpResponseRedirect('{}?{}'.format(
response.url, request.GET.urlencode()))
return response
class DoNextModelAdmin(TranslatedModelAdmin):
......
......@@ -2,6 +2,7 @@ import datetime
from unittest import mock
from django.contrib.admin import AdminSite
from django.core.exceptions import DisallowedRedirect
from django.http import HttpResponseRedirect
from django.test import TestCase, RequestFactory, override_settings
from django.utils import timezone
......@@ -32,21 +33,26 @@ class DoNextModelAdminTest(TestCase):
response = self.admin.response_add(request, None)
self.assertIsNone(response, "Should return the original response")
request = self.rf.get('/admin/events/event/1', data={
'next': 'http://example.org',
})
response = self.admin.response_add(request, None)
self.assertNotIsInstance(response, HttpResponseRedirect,
"Should not redirect")
request = self.rf.post('/admin/events/event/1?next=http://example.org',
data={
'_save': True
})
with self.assertRaises(DisallowedRedirect):
self.admin.response_add(request, None)
request = self.rf.get('/admin/events/event/1', data={
'next': '/test',
request = self.rf.post('/admin/events/event/1?next=/test', data={
'_save': True
})
response = self.admin.response_add(request, None)
self.assertIsInstance(response, HttpResponseRedirect)
self.assertEqual('/test', response.url,
"Should return the url in the next parameter.")
request = self.rf.post('/admin/events/event/1?next=/test')
response = self.admin.response_add(request, None)
self.assertNotIsInstance(response, HttpResponseRedirect,
"Should not redirect")
@mock.patch('utils.translation.TranslatedModelAdmin.response_change')
def test_response_change(self, super_mock):
super_mock.return_value = None
......@@ -55,21 +61,26 @@ class DoNextModelAdminTest(TestCase):
response = self.admin.response_change(request, None)
self.assertIsNone(response, "Should return the original response")
request = self.rf.get('/admin/events/event/1', data={
'next': 'http://example.org',
})
response = self.admin.response_change(request, None)
self.assertNotIsInstance(response, HttpResponseRedirect,
"Should not redirect")
request = self.rf.post('/admin/events/event/1?next=http://example.org',
data={
'_save': True
})
with self.assertRaises(DisallowedRedirect):
self.admin.response_change(request, None)
request = self.rf.get('/admin/events/event/1', data={
'next': '/test',
request = self.rf.post('/admin/events/event/1?next=/test', data={
'_save': True
})
response = self.admin.response_change(request, None)
self.assertIsInstance(response, HttpResponseRedirect)
self.assertEqual('/test', response.url,
"Should return the url in the next parameter.")
request = self.rf.post('/admin/events/event/1?next=/test')
response = self.admin.response_change(request, None)
self.assertNotIsInstance(response, HttpResponseRedirect,
"Should not redirect")
@freeze_time('2017-01-01')
class RegistrationInformationFieldInlineTest(TestCase):
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment