-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use CSRF token on forms to trigger a new builds #3260
Conversation
Avoid "This endpoint is deprecated" raised when hitting and old endpoint with security issues. Now, each view that shows a form with the "Build" button uses the BuildTriggerMixin to handle the POST request and trigger the new build. Closes #3253
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! I noted a queryset that will need to change first, but otherwise this seems to be what we need.
readthedocs/builds/views.py
Outdated
class BuildTriggerMixin(object): | ||
def post(self, request, project_slug): | ||
project = get_object_or_404( | ||
Project.objects.protected(self.request.user), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These queryset methods are not documented at all, which we should probably fix, but protected
is not the method we want here. This queryset will return projects with the public
or protected
privacy state, adding projects the user can view, from Project.objects._add_user_repos
.
Instead, this should probably be Project.objects.for_admin_user(self.request.user)
, as we only want to surface the form posting ability for users that are authenticated and own the project.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I use the same than in BuildBase
.
If I use for_admin_user
, who will be able to trigger the builds? Just the owner?
If that's the case, we will need to remove/hide the Build
button if the user doesn't own the project, right?
readthedocs/builds/views.py
Outdated
@@ -33,7 +34,24 @@ def get_queryset(self): | |||
return queryset | |||
|
|||
|
|||
class BuildList(BuildBase, ListView): | |||
class BuildTriggerMixin(object): | |||
def post(self, request, project_slug): |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should not be only for logged in user?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
login_required
decorator can be used here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point, we do need to check for a proper request.user
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we do need to check for a proper request.user here
what do you mean with this?
The user must be logged in to trigger a build.
Avoid "This endpoint is deprecated" raised when hitting and old
endpoint with security issues.
Now, each view that shows a form with the "Build" button uses the
BuildTriggerMixin to handle the POST request and trigger the new build.
Closes #3253