[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #10754 [Tor Support]: Implement an invitation based token system into webchat
#10754: Implement an invitation based token system into webchat
-----------------------------+--------------------------
Reporter: Sherief | Owner: Sherief
Type: task | Status: needs_review
Priority: blocker | Milestone:
Component: Tor Support | Version:
Resolution: | Keywords: SponsorO
Actual Points: | Parent ID: #10755
Points: |
-----------------------------+--------------------------
Comment (by Sherief):
Replying to [comment:28 lunar]:
> Replying to [comment:27 Sherief]:
> > Replying to [comment:26 lunar]:
> > > Is it really needed to have a `pups_project` sub-directory? Probably
related question: shouldn't be the `stats` and `webchat` modules be sub-
modules of the `pups` module?
> > No. I can just name the repo pups_project and remove the extra folder.
>
> Why not simply `pups`?
That's doable but I will also change "pups" the app that handles accounts
to "accounts".
> > > This should really be turned into its own method for readability:
> > > {{{
> > > token.get_assistant_tokens(User.objects.get(id =
request.user.id)).filter(expires_at__gt=F('created_at')),
> > > }}}
> >
> > I just added the `.filter(expires_at__gt=F('created_at'))` part to
> > `models.Token.get_assistant_tokens(assistant)`
>
> Then I believe the function name should be changed too.
>
> > > Unless I'm mistaken `webchat/templates/tokens.html` directly contain
the value of `token.comment`. It should be escaped to be displayed in an
HTML context, otherwise that's a security issue.
> >
> > I tried to add html tags, sql code but non worked since Django's ORM
checks things before adding data into the db automatically and
render(request, template, context)'s context handles what you mean.
>
> What if an attacker manage to add data to the DB without going through
Django's validation process?
That's not even possible because:
1) token_page() is decorated with `@login_required`
2) you cannot access create_token() because it's not mentioned in urls.py
like `token_page()` and `login()`.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10754#comment:29>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs