From 3e1ff935b220cb539d6b8dc551119052ef9e7da9 Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Mon, 19 Dec 2016 21:48:26 +0100 Subject: [PATCH 1/2] Hide sensitive vars, fix crash --- website/thaliawebsite/views.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/website/thaliawebsite/views.py b/website/thaliawebsite/views.py index 1332bf1f..755372b0 100644 --- a/website/thaliawebsite/views.py +++ b/website/thaliawebsite/views.py @@ -8,6 +8,8 @@ from django.shortcuts import render from django.utils import timezone from django.views.decorators.csrf import csrf_exempt from django.views.decorators.http import require_POST +from django.views.decorators.debug import (sensitive_variables, + sensitive_post_parameters) from members.models import Member @@ -17,6 +19,8 @@ def styleguide(request): return render(request, 'singlepages/styleguide.html') +@sensitive_variables('apikey', 'user', 'password') +@sensitive_post_parameters('apikey', 'user', 'password') @require_POST @csrf_exempt def wiki_login(request): @@ -50,7 +54,7 @@ def wiki_login(request): 'committees': memberships}) return JsonResponse({'status': 'error', 'msg': 'Authentication Failed'}, - status_code=403) + status=403) @staff_member_required -- GitLab From 1ae37b8989dbda63d48c7de57d49a44a4f7adb7c Mon Sep 17 00:00:00 2001 From: Thom Wiggers Date: Mon, 19 Dec 2016 22:23:41 +0100 Subject: [PATCH 2/2] Also hide sensitive vars from ThaliApp --- website/thaliapp/views.py | 14 +++++++++++--- website/thaliawebsite/views.py | 4 ++-- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/website/thaliapp/views.py b/website/thaliapp/views.py index 7a693e6c..8fd22d0b 100644 --- a/website/thaliapp/views.py +++ b/website/thaliapp/views.py @@ -6,6 +6,8 @@ from django.views.decorators.http import require_POST from django.contrib.auth import authenticate from django.contrib.staticfiles.finders import find as find_static_file from django.core.cache import cache +from django.views.decorators.debug import (sensitive_variables, + sensitive_post_parameters) from thaliapp.models import Token from hashlib import sha256 import base64 @@ -27,6 +29,8 @@ def get_photo(user): return photo +@sensitive_post_parameters() +@sensitive_variables('user', 'password', 'token') @csrf_exempt @require_POST def login(request): @@ -50,9 +54,11 @@ def login(request): }) return JsonResponse({'status': 'error', 'msg': 'Authentication Failed'}, - status_code=403) + status=403) +@sensitive_post_parameters() +@sensitive_variables('username', 'token') @csrf_exempt @require_POST def app(request): @@ -67,7 +73,7 @@ def app(request): if user is None: return JsonResponse({'status': 'error', 'msg': 'Authentication Failed'}, - status_code=403) + status=403) today = datetime.date.today() eightteen_years_ago = today.replace(year=today.year - 18) over18 = str(user.member.birthday <= eightteen_years_ago) @@ -89,6 +95,8 @@ def app(request): }) +@sensitive_post_parameters() +@sensitive_variables('username', 'token') @csrf_exempt @require_POST def scan(request): @@ -102,6 +110,6 @@ def scan(request): if user is None: return JsonResponse({'status': 'error', 'msg': 'Authentication Failed'}, - status_code=403) + status=403) cache.set(''.join([qrtoken]), user, 300) return JsonResponse({'status': 'ok'}) diff --git a/website/thaliawebsite/views.py b/website/thaliawebsite/views.py index 755372b0..72c0076e 100644 --- a/website/thaliawebsite/views.py +++ b/website/thaliawebsite/views.py @@ -19,8 +19,8 @@ def styleguide(request): return render(request, 'singlepages/styleguide.html') -@sensitive_variables('apikey', 'user', 'password') -@sensitive_post_parameters('apikey', 'user', 'password') +@sensitive_variables() +@sensitive_post_parameters() @require_POST @csrf_exempt def wiki_login(request): -- GitLab