imacat/mia-accounting
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases 41 Wiki Activity

Revised the next URI utilities to apply URLSafeSerializer for encoding and decoding the next URI, in order to prevent tampering with the next URI.

Browse Source
This commit is contained in:
依瑪貓
2023-05-23 08:24:12 +08:00
parent 822c8fc49b
commit 818c357613
14 changed files with 426 additions and 251 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
tests/test_site/__init__.py
View File

@ -23,13 +23,15 @@ from typing import Type
from click.testing import Result
from flask import Flask, Blueprint, render_template, redirect, Response, \
url_for
url_for, request
from flask.testing import FlaskCliRunner
from flask_babel_js import BabelJS
from flask_sqlalchemy import SQLAlchemy
from flask_wtf import CSRFProtect
from sqlalchemy import Column
from accounting.utils.next_uri import encode_next
bp: Blueprint = Blueprint("home", __name__)
"""The global blueprint."""
babel_js: BabelJS = BabelJS()
@ -66,6 +68,7 @@ def create_app(is_testing: bool = False) -> Flask:
db.init_app(app)
app.register_blueprint(bp, url_prefix="/")
app.add_template_global(__as_next, "accounting_as_next")
from . import locale
locale.init_app(app)
@ -146,3 +149,12 @@ def get_home() -> str:
:return: The home page.
"""
return render_template("home.html")
def __as_next() -> str:
"""Encodes the current request URI as value for the next URI.
:return: The current request URI as value for the next URI.
"""
return encode_next(
request.full_path if request.query_string else request.path)

22
tests/test_site/lib.py
View File

@ -140,36 +140,38 @@ class JournalEntryData:
for line_item in currency.credit:
line_item.journal_entry = self
def new_form(self, csrf_token: str, next_uri: str) -> dict[str, str]:
def new_form(self, csrf_token: str, encoded_next_uri: str) \
-> dict[str, str]:
"""Returns the journal entry as a creation form.
:param csrf_token: The CSRF token.
:param next_uri: The next URI.
:param encoded_next_uri: The encoded next URI.
:return: The journal entry as a creation form.
"""
return self.__form(csrf_token, next_uri, is_update=False)
return self.__form(csrf_token, encoded_next_uri, is_update=False)
def update_form(self, csrf_token: str, next_uri: str) -> dict[str, str]:
def update_form(self, csrf_token: str, encoded_next_uri: str) \
-> dict[str, str]:
"""Returns the journal entry as an update form.
:param csrf_token: The CSRF token.
:param next_uri: The next URI.
:param encoded_next_uri: The encoded next URI.
:return: The journal entry as an update form.
"""
return self.__form(csrf_token, next_uri, is_update=True)
return self.__form(csrf_token, encoded_next_uri, is_update=True)
def __form(self, csrf_token: str, next_uri: str, is_update: bool = False) \
-> dict[str, str]:
def __form(self, csrf_token: str, encoded_next_uri: str,
is_update: bool = False) -> dict[str, str]:
"""Returns the journal entry as a form.
:param csrf_token: The CSRF token.
:param next_uri: The next URI.
:param encoded_next_uri: The encoded next URI.
:param is_update: True for an update operation, or False otherwise
:return: The journal entry as a form.
"""
date: dt.date = dt.date.today() - dt.timedelta(days=self.days)
form: dict[str, str] = {"csrf_token": csrf_token,
"next": next_uri,
"next": encoded_next_uri,
"date": date.isoformat()}
for i in range(len(self.currencies)):
form.update(self.currencies[i].form(i + 1, is_update))

2
tests/test_site/templates/base.html
View File

@ -96,7 +96,7 @@ First written: 2023/1/27
</span>
<form action="{{ url_for("locale.set-locale") }}" method="post">
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<input type="hidden" name="next" value="{{ request.full_path if request.query_string else request.path }}">
<input type="hidden" name="next" value="{{ accounting_as_next() }}">
<ul class="dropdown-menu dropdown-menu-end">
{% for locale_code, locale_name in get_all_linguas().items() %}
<li>