Changes between Version 5 and Version 9 of Ticket #927


Ignore:
Timestamp:
Aug 1, 2014, 4:26:20 PM (10 years ago)
Author:
Elrond
Comment:

Re-Open for more items in views.py. Especially more security. See description.

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #927

    • Property Owner Jessica Tallon removed
    • Property Status in_progressaccepted
    • Property Priority majorcritical

  • Ticket #927 – Description

    v5 v9  
    3333* In the long run, this should be refactored together with submit/lib.py to provide a consistent upload api for everybody, again.
    3434
     35'''views.py security'''
     36* oauth authenticates user A; the URL contains user B; And for some cases, there is an already existing object O, owned by user C.
     37* I guess, that all three users must be the same. If not, please explain in detail why (comments in code!)
     38* Testing for A == B is already in the code.
     39* Testing for C == A is not yet there.
     40
     41'''view.py style'''
     42* There are a bunch of
     43  {{{
     44  obj = Klass.query.filter(...)
     45  if obj is None:
     46    return error
     47  obj = obj[0]
     48  }}}
     49  in there. The if will never fire, as filter() always returns an unfinished query object. Please replace by
     50  {{{
     51  obj = ...filter(...).first()
     52  if obj is None:
     53    return error
     54  }}}
     55
    3556If any more issues are found please add them to this ticket. This is a rather large issue but most of the tasks in them are so small it doesn't warrant splitting them up.