Use CSRF token on forms to trigger a new builds #3260

humitos · 2017-11-14T17:26:33Z

Avoid "This endpoint is deprecated" raised when hitting and old
endpoint with security issues.

Now, each view that shows a form with the "Build" button uses the
BuildTriggerMixin to handle the POST request and trigger the new build.

Closes #3253

Avoid "This endpoint is deprecated" raised when hitting and old endpoint with security issues. Now, each view that shows a form with the "Build" button uses the BuildTriggerMixin to handle the POST request and trigger the new build. Closes #3253

agjohnson

Looks good! I noted a queryset that will need to change first, but otherwise this seems to be what we need.

agjohnson · 2017-11-14T19:06:36Z

readthedocs/builds/views.py

+class BuildTriggerMixin(object):
+    def post(self, request, project_slug):
+        project = get_object_or_404(
+            Project.objects.protected(self.request.user),


These queryset methods are not documented at all, which we should probably fix, but protected is not the method we want here. This queryset will return projects with the public or protected privacy state, adding projects the user can view, from Project.objects._add_user_repos.

Instead, this should probably be Project.objects.for_admin_user(self.request.user), as we only want to surface the form posting ability for users that are authenticated and own the project.

Oh, I use the same than in BuildBase.

If I use for_admin_user, who will be able to trigger the builds? Just the owner?

If that's the case, we will need to remove/hide the Build button if the user doesn't own the project, right?

safwanrahman · 2017-11-14T20:41:42Z

readthedocs/builds/views.py

@@ -33,7 +34,24 @@ def get_queryset(self):
        return queryset


-class BuildList(BuildBase, ListView):
+class BuildTriggerMixin(object):
+    def post(self, request, project_slug):


This should not be only for logged in user?

login_required decorator can be used here

Good point, we do need to check for a proper request.user here.

we do need to check for a proper request.user here

what do you mean with this?

The user must be logged in to trigger a build.

agjohnson requested changes Nov 14, 2017

View reviewed changes

Filter project by for_admin_user

153204f

safwanrahman reviewed Nov 14, 2017

View reviewed changes

Use login_required as method_decorator for BuildTriggerMixin

e77daab

The user must be logged in to trigger a build.

agjohnson approved these changes Nov 15, 2017

View reviewed changes

agjohnson merged commit 4de678e into master Nov 15, 2017

agjohnson deleted the humitos/build/trigger-no-api branch November 15, 2017 20:30

This was referenced Nov 16, 2017

"stable" appearing to track future release branches #3268

Closed

Build - This page does not exist yet. #3303

Closed

humitos mentioned this pull request Nov 29, 2017

Build is not working #3223

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use CSRF token on forms to trigger a new builds #3260

Use CSRF token on forms to trigger a new builds #3260

humitos commented Nov 14, 2017

agjohnson left a comment

agjohnson Nov 14, 2017

humitos Nov 14, 2017

safwanrahman Nov 14, 2017 •

edited

Loading

safwanrahman Nov 14, 2017

agjohnson Nov 14, 2017

humitos Nov 15, 2017

Use CSRF token on forms to trigger a new builds #3260

Use CSRF token on forms to trigger a new builds #3260

Conversation

humitos commented Nov 14, 2017

agjohnson left a comment

Choose a reason for hiding this comment

agjohnson Nov 14, 2017

Choose a reason for hiding this comment

humitos Nov 14, 2017

Choose a reason for hiding this comment

safwanrahman Nov 14, 2017 • edited Loading

Choose a reason for hiding this comment

safwanrahman Nov 14, 2017

Choose a reason for hiding this comment

agjohnson Nov 14, 2017

Choose a reason for hiding this comment

humitos Nov 15, 2017

Choose a reason for hiding this comment

safwanrahman Nov 14, 2017 •

edited

Loading