From c6b23f6aa0dcacb6e0f3b75ada4bcc12f7c25924 Mon Sep 17 00:00:00 2001 From: PCoder Date: Fri, 4 Aug 2017 20:54:28 +0530 Subject: [PATCH 1/2] Added get_object method to verify if the user is the owner of the ssh key --- hosting/views.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/hosting/views.py b/hosting/views.py index 19ec5b2a..33477b50 100644 --- a/hosting/views.py +++ b/hosting/views.py @@ -342,6 +342,13 @@ class SSHKeyDeleteView(LoginRequiredMixin, DeleteView): success_url = reverse_lazy('hosting:ssh_keys') model = UserHostingKey + def get_object(self, queryset=None): + """ Hook to ensure object is owned by request.user. """ + obj = super(SSHKeyDeleteView, self).get_object() + if not obj.owner == self.request.user: + raise Http404 + return obj + def delete(self, request, *args, **kwargs): owner = self.request.user manager = OpenNebulaManager() From d85afd56e083c1da1a30001338fccb3343af5fd2 Mon Sep 17 00:00:00 2001 From: "M.Ravi" Date: Fri, 4 Aug 2017 17:49:35 +0200 Subject: [PATCH 2/2] Fixed an issue - Changed owner -> user - Reformatted code --- hosting/views.py | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/hosting/views.py b/hosting/views.py index 33477b50..f5fbd0a7 100644 --- a/hosting/views.py +++ b/hosting/views.py @@ -210,9 +210,9 @@ class SignupValidateView(TemplateView): def get_context_data(self, **kwargs): context = super(SignupValidateView, self).get_context_data(**kwargs) login_url = '' + str(_('login')) + '' + reverse('hosting:login') + '">' + str(_('login')) + '' home_url = 'Data Center Light' + reverse('datacenterlight:index') + '">Data Center Light' message = '{signup_success_message} {lurl} \
{go_back} {hurl}.'.format( signup_success_message=_( @@ -234,7 +234,7 @@ class SignupValidatedView(SignupValidateView): context = super(SignupValidateView, self).get_context_data(**kwargs) validated = CustomUser.validate_url(self.kwargs['validate_slug']) login_url = '' + str(_('login')) + '' + reverse('hosting:login') + '">' + str(_('login')) + '' section_title = _('Account activation') if validated: message = '{account_activation_string}
{login_string} {lurl}.'.format( @@ -244,7 +244,7 @@ class SignupValidatedView(SignupValidateView): lurl=login_url) else: home_url = 'Data Center Light' + reverse('datacenterlight:index') + '">Data Center Light' message = '{sorry_message}
{go_back_to} {hurl}'.format( sorry_message=_("Sorry. Your request is invalid."), go_back_to=_('Go back to'), @@ -343,9 +343,11 @@ class SSHKeyDeleteView(LoginRequiredMixin, DeleteView): model = UserHostingKey def get_object(self, queryset=None): - """ Hook to ensure object is owned by request.user. """ + """ Hook to ensure UserHostingKey object is owned by request.user. + We reply with a Http404 if the user is not the owner of the key. + """ obj = super(SSHKeyDeleteView, self).get_object() - if not obj.owner == self.request.user: + if not obj.user == self.request.user: raise Http404 return obj