[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-bugs] #10754 [Tor Support]: Implement an invitation based token system into webchat



#10754: Implement an invitation based token system into webchat
-----------------------------+--------------------------
     Reporter:  Sherief      |      Owner:  Sherief
         Type:  task         |     Status:  needs_review
     Priority:  blocker      |  Milestone:
    Component:  Tor Support  |    Version:
   Resolution:               |   Keywords:  SponsorO
Actual Points:               |  Parent ID:  #10755
       Points:               |
-----------------------------+--------------------------

Comment (by Sherief):

 Replying to [comment:28 lunar]:
 > Replying to [comment:27 Sherief]:
 > > Replying to [comment:26 lunar]:
 > > > Is it really needed to have a `pups_project` sub-directory? Probably
 related question: shouldn't be the `stats` and `webchat` modules be sub-
 modules of the `pups` module?
 > > No. I can just name the repo pups_project and remove the extra folder.
 >
 > Why not simply `pups`?

 That's doable but I will also change "pups" the app that handles accounts
 to "accounts".

 > > > This should really be turned into its own method for readability:
 > > > {{{
 > > > token.get_assistant_tokens(User.objects.get(id =
 request.user.id)).filter(expires_at__gt=F('created_at')),
 > > > }}}
 > >
 > > I just added the `.filter(expires_at__gt=F('created_at'))` part to
 > > `models.Token.get_assistant_tokens(assistant)`
 >
 > Then I believe the function name should be changed too.
 >
 > > > Unless I'm mistaken `webchat/templates/tokens.html` directly contain
 the value of `token.comment`. It should be escaped to be displayed in an
 HTML context, otherwise that's a security issue.
 > >
 > > I tried to add html tags, sql code but non worked since Django's ORM
 checks things before adding data into the db automatically and
 render(request, template, context)'s context handles what you mean.
 >
 > What if an attacker manage to add data to the DB without going through
 Django's validation process?

 That's not even possible because:
 1) token_page() is decorated with `@login_required`
 2) you cannot access create_token() because it's not mentioned in urls.py
 like `token_page()` and `login()`.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10754#comment:29>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs