Skip to main content
Code Review

Return to Question

Tweeted twitter.com/StackCodeReview/status/1270007694741639172
update formatting
Source Link

vote/ajax.html (only function):

vote/ajax.html (only function):

ajax/views.py:

ajax/views.py:

vote/functions:

vote/functions:

vote/ajax.html (only function):

ajax/views.py:

vote/functions:

vote/ajax.html (only function):

ajax/views.py:

vote/functions:

Post Reopened by 301_Moved_Permanently, Ludisposed, Sᴀᴍ Onᴇᴌᴀ , Community Bot, Mast
improved formatting
Source Link
Myzel394
  • 296
  • 2
  • 8

def vote(request): try: app_name = request.POST.get("app_name") model_name = request.POST.get("model_name") id = request.POST.get("id") votedFor = True if request.POST.get("voted") == "true" else False except ValueError: return JsonResponse({"error": True})

def vote(request):
 try:
 app_name = request.POST.get("app_name")
 model_name = request.POST.get("model_name")
 id = request.POST.get("id")
 votedFor = True if request.POST.get("voted") == "true" else False
 except ValueError:
 return JsonResponse({"error": True})
 model = apps.get_model(app_name, model_name)
if model is None or id is None:
 return JsonResponse({"error": True})
try:
 usable_model = model.objects.get(id=id)
except model.DoesNotExist:
 return JsonResponse({"error": True})
try:
 usable_model.vote._meta.get_field("votes")
except FieldDoesNotExist:
 return JsonResponse({"error": True})
usable_model.vote.vote(request, votedFor)
return JsonResponse({"error": False})

def vote(self, request, votedFor):
 if request.user.is_authenticated:
 if not UserVoted.objects.filter(User=request.user, Vote=self).exists():
 UserVoted.objects.create(User=request.user, Vote=self, votedFor=votedFor)
 self._like_or_dislike(votedFor)
 return True
 return False
 ip = get_client_ip(request)
 if ip:
 if not UserVoted.objects.filter(ip=ip, Vote=self).exists():
 UserVoted.objects.create(ip=ip, Vote=self, votedFor=votedFor)
 self._like_or_dislike(votedFor)
 return True
 return False
 return False
def _like_or_dislike(self, votedFor):
 if votedFor is not None:
 Vote.objects.filter(id=self.id).update(votes=F('votes') + 1) if votedFor else Vote.objects.filter(id=self.id).update(votes=F('votes') - 1)
 return True
 return False

def vote(request): try: app_name = request.POST.get("app_name") model_name = request.POST.get("model_name") id = request.POST.get("id") votedFor = True if request.POST.get("voted") == "true" else False except ValueError: return JsonResponse({"error": True})

model = apps.get_model(app_name, model_name)
if model is None or id is None:
 return JsonResponse({"error": True})
try:
 usable_model = model.objects.get(id=id)
except model.DoesNotExist:
 return JsonResponse({"error": True})
try:
 usable_model.vote._meta.get_field("votes")
except FieldDoesNotExist:
 return JsonResponse({"error": True})
usable_model.vote.vote(request, votedFor)
return JsonResponse({"error": False})

def vote(self, request, votedFor):
 if request.user.is_authenticated:
 if not UserVoted.objects.filter(User=request.user, Vote=self).exists():
 UserVoted.objects.create(User=request.user, Vote=self, votedFor=votedFor)
 self._like_or_dislike(votedFor)
 return True
 return False
 ip = get_client_ip(request)
 if ip:
 if not UserVoted.objects.filter(ip=ip, Vote=self).exists():
 UserVoted.objects.create(ip=ip, Vote=self, votedFor=votedFor)
 self._like_or_dislike(votedFor)
 return True
 return False
 return False
def _like_or_dislike(self, votedFor):
 if votedFor is not None:
 Vote.objects.filter(id=self.id).update(votes=F('votes') + 1) if votedFor else Vote.objects.filter(id=self.id).update(votes=F('votes') - 1)
 return True
 return False

def vote(request):
 try:
 app_name = request.POST.get("app_name")
 model_name = request.POST.get("model_name")
 id = request.POST.get("id")
 votedFor = True if request.POST.get("voted") == "true" else False
 except ValueError:
 return JsonResponse({"error": True})
 model = apps.get_model(app_name, model_name)
if model is None or id is None:
 return JsonResponse({"error": True})
try:
 usable_model = model.objects.get(id=id)
except model.DoesNotExist:
 return JsonResponse({"error": True})
try:
 usable_model.vote._meta.get_field("votes")
except FieldDoesNotExist:
 return JsonResponse({"error": True})
usable_model.vote.vote(request, votedFor)
return JsonResponse({"error": False})

def vote(self, request, votedFor):
 if request.user.is_authenticated:
 if not UserVoted.objects.filter(User=request.user, Vote=self).exists():
 UserVoted.objects.create(User=request.user, Vote=self, votedFor=votedFor)
 self._like_or_dislike(votedFor)
 return True
 return False
 ip = get_client_ip(request)
 if ip:
 if not UserVoted.objects.filter(ip=ip, Vote=self).exists():
 UserVoted.objects.create(ip=ip, Vote=self, votedFor=votedFor)
 self._like_or_dislike(votedFor)
 return True
 return False
 return False
def _like_or_dislike(self, votedFor):
 if votedFor is not None:
 Vote.objects.filter(id=self.id).update(votes=F('votes') + 1) if votedFor else Vote.objects.filter(id=self.id).update(votes=F('votes') - 1)
 return True
 return False
Post Closed as "Not suitable for this site" by 200_success, Sᴀᴍ Onᴇᴌᴀ , alecxe, Heslacher, 301_Moved_Permanently
deleted 24 characters in body; edited title
Source Link
Jamal
  • 35.2k
  • 13
  • 134
  • 238

Python/Django Class based saving - worried about security

I'm creating multiple djangoDjango apps with vote possibilities. So, so I made an app vote to handle all this votes. In my templates I'm including an ajax-function named vote. To know on which model I'm liking I add app_name and model_name to the vote function (I made some templatetags to get these values). In my views.py I use model = apps.get_model(app_name, model_name) to get the model class. But now I'm worried a hacker could do something with the app_name and model_name values.

Here are my files:

I already manipulated app_name and model_name and the server didntdidn't crash but I dontdon't know what a hacker can do. Can he crash my server when he manipulate these values? (maybe "ajax-injection" or something like this?)

Python/Django Class based saving - worried about security

I'm creating multiple django apps with vote possibilities. So I made an app vote to handle all this votes. In my templates I'm including an ajax-function named vote. To know on which model I'm liking I add app_name and model_name to the vote function (I made some templatetags to get these values). In my views.py I use model = apps.get_model(app_name, model_name) to get the model class. But now I'm worried a hacker could do something with the app_name and model_name values.

Here are my files:

I already manipulated app_name and model_name and the server didnt crash but I dont know what a hacker can do. Can he crash my server when he manipulate these values? (maybe "ajax-injection" or something like this?)

Python/Django Class based saving

I'm creating multiple Django apps with vote possibilities, so I made an app vote to handle all this votes. In my templates I'm including an ajax-function named vote. To know on which model I'm liking I add app_name and model_name to the vote function (I made some templatetags to get these values). In my views.py I use model = apps.get_model(app_name, model_name) to get the model class. But now I'm worried a hacker could do something with the app_name and model_name values.

I already manipulated app_name and model_name and the server didn't crash but I don't know what a hacker can do. Can he crash my server when he manipulate these values? (maybe "ajax-injection" or something like this?)

edited tags
Link
Mast
  • 13.8k
  • 12
  • 57
  • 127
Loading
corrected code
Source Link
Myzel394
  • 296
  • 2
  • 8
Loading
Source Link
Myzel394
  • 296
  • 2
  • 8
Loading
lang-py

AltStyle によって変換されたページ (->オリジナル) /