CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-05 15:14:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Replace redirect() with redirect_to_url() if we don't need Django's resolution

Browse Source
This commit is contained in:
Raphael Michel
2023-12-08 15:38:25 +01:00
parent 2acf043872
commit 12a898476e
19 changed files with 134 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/pretix/control/middleware.py
View File

@@ -37,7 +37,7 @@ from urllib.parse import quote, urljoin, urlparse
from django.conf import settings
from django.contrib.auth import REDIRECT_FIELD_NAME, logout
from django.http import Http404
from django.shortcuts import get_object_or_404, redirect, resolve_url
from django.shortcuts import get_object_or_404, resolve_url
from django.template.response import TemplateResponse
from django.urls import get_script_prefix, resolve, reverse
from django.utils.encoding import force_str
@@ -46,6 +46,7 @@ from django_scopes import scope
from pretix.base.models import Event, Organizer
from pretix.base.models.auth import SuperuserPermissionSet, User
from pretix.helpers.http import redirect_to_url
from pretix.helpers.security import (
SessionInvalid, SessionReauthRequired, assert_session_valid,
)
@@ -118,7 +119,7 @@ class PermissionMiddleware:
if hasattr(request, 'organizer'):
# If the user is on a organizer's subdomain, he should be redirected to pretix
return redirect(urljoin(settings.SITE_URL, request.get_full_path()))
return redirect_to_url(urljoin(settings.SITE_URL, request.get_full_path()))
if url_name in self.EXCEPTIONS:
return self.get_response(request)
if not request.user.is_authenticated:
@@ -132,14 +133,14 @@ class PermissionMiddleware:
return self._login_redirect(request)
except SessionReauthRequired:
if url_name not in ('user.reauth', 'auth.logout'):
return redirect(reverse('control:user.reauth') + '?next=' + quote(request.get_full_path()))
return redirect_to_url(reverse('control:user.reauth') + '?next=' + quote(request.get_full_path()))
if request.user.needs_password_change and url_name not in self.EXCEPTIONS_FORCED_PW_CHANGE:
return redirect(reverse('control:user.settings') + '?next=' + quote(request.get_full_path()))
return redirect_to_url(reverse('control:user.settings') + '?next=' + quote(request.get_full_path()))
if not request.user.require_2fa and settings.PRETIX_OBLIGATORY_2FA \
and url_name not in self.EXCEPTIONS_2FA:
return redirect(reverse('control:user.settings.2fa'))
return redirect_to_url(reverse('control:user.settings.2fa'))
if 'event' in url.kwargs and 'organizer' in url.kwargs:
if url.kwargs['organizer'] == '-' and url.kwargs['event'] == '-':
@@ -152,7 +153,7 @@ class PermissionMiddleware:
k = dict(url.kwargs)
k['organizer'] = ev.organizer.slug
k['event'] = ev.slug
return redirect(reverse(url.view_name, kwargs=k, args=url.args))
return redirect_to_url(reverse(url.view_name, kwargs=k, args=url.args))
with scope(organizer=None):
request.event = Event.objects.filter(
@@ -178,7 +179,7 @@ class PermissionMiddleware:
"have no permission to administrate it."))
k = dict(url.kwargs)
k['organizer'] = org.slug
return redirect(reverse(url.view_name, kwargs=k, args=url.args))
return redirect_to_url(reverse(url.view_name, kwargs=k, args=url.args))
request.organizer = Organizer.objects.filter(
slug=url.kwargs['organizer'],

5
src/pretix/control/permissions.py
View File

@@ -35,10 +35,11 @@
from urllib.parse import quote
from django.core.exceptions import PermissionDenied
from django.shortcuts import redirect
from django.urls import reverse
from django.utils.translation import gettext as _
from pretix.helpers.http import redirect_to_url
def current_url(request):
if request.GET:
@@ -135,7 +136,7 @@ def administrator_permission_required():
raise PermissionDenied()
if not request.user.has_active_staff_session(request.session.session_key):
if request.user.is_staff:
return redirect(reverse('control:user.sudo') + '?next=' + quote(current_url(request)))
return redirect_to_url(reverse('control:user.sudo') + '?next=' + quote(current_url(request)))
raise PermissionDenied(_('You do not have permission to view this content.'))
return function(request, *args, **kw)
return wrapper

21
src/pretix/control/views/auth.py
View File

@@ -87,8 +87,8 @@ def process_login(request, user, keep_logged_in):
auth_login(request, user)
request.session['pretix_auth_login_time'] = int(time.time())
if next_url and url_has_allowed_host_and_scheme(next_url, allowed_hosts=None):
return redirect(next_url)
return redirect(reverse('control:index'))
return redirect_to_url(next_url)
return redirect('control:index')
def login(request):
@@ -149,7 +149,10 @@ def register(request):
raise PermissionDenied('Registration is disabled')
ctx = {}
if request.user.is_authenticated:
return redirect(request.GET.get("next", 'control:index'))
next_url = request.GET.get("next") or reverse("control:index")
if next_url and url_has_allowed_host_and_scheme(next_url, allowed_hosts=None):
return redirect_to_url(next_url)
return redirect("control:index")
if request.method == 'POST':
form = RegistrationForm(data=request.POST)
if form.is_valid():
@@ -256,7 +259,10 @@ class Forgot(TemplateView):
def get(self, request, *args, **kwargs):
if request.user.is_authenticated:
return redirect(request.GET.get("next", 'control:index'))
next_url = request.GET.get("next") or reverse("control:index")
if next_url and url_has_allowed_host_and_scheme(next_url, allowed_hosts=None):
return redirect_to_url(next_url)
return redirect("control:index")
return super().get(request, *args, **kwargs)
def post(self, request, *args, **kwargs):
@@ -329,7 +335,10 @@ class Recover(TemplateView):
def get(self, request, *args, **kwargs):
if request.user.is_authenticated:
return redirect(request.GET.get("next", 'control:index'))
next_url = request.GET.get("next") or reverse("control:index")
if next_url and url_has_allowed_host_and_scheme(next_url, allowed_hosts=None):
return redirect_to_url(next_url)
return redirect("control:index")
try:
user = User.objects.get(id=self.request.GET.get('id'), is_active=True, auth_backend='native')
except User.DoesNotExist:
@@ -453,7 +462,7 @@ class Login2FAView(TemplateView):
del request.session['pretix_auth_2fa_time']
if "next" in request.GET and url_has_allowed_host_and_scheme(request.GET.get("next"), allowed_hosts=None):
return redirect_to_url(request.GET.get("next"))
return redirect(reverse('control:index'))
return redirect('control:index')
else:
messages.error(request, _('Invalid code, please try again.'))
return redirect('control:auth.login.2fa')

7
src/pretix/control/views/orderimport.py
View File

@@ -50,6 +50,7 @@ from pretix.base.services.orderimport import import_orders, parse_csv
from pretix.base.views.tasks import AsyncAction
from pretix.control.forms.orderimport import ProcessForm
from pretix.control.permissions import EventPermissionRequiredMixin
from pretix.helpers.http import redirect_to_url
logger = logging.getLogger(__name__)
ENCODINGS = (
@@ -69,19 +70,19 @@ class ImportView(EventPermissionRequiredMixin, TemplateView):
def post(self, request, *args, **kwargs):
if 'file' not in request.FILES:
return redirect(reverse('control:event.orders.import', kwargs={
return redirect_to_url(reverse('control:event.orders.import', kwargs={
'event': request.event.slug,
'organizer': request.organizer.slug,
}))
if not request.FILES['file'].name.lower().endswith('.csv'):
messages.error(request, _('Please only upload CSV files.'))
return redirect(reverse('control:event.orders.import', kwargs={
return redirect_to_url(reverse('control:event.orders.import', kwargs={
'event': request.event.slug,
'organizer': request.organizer.slug,
}))
if request.FILES['file'].size > settings.FILE_UPLOAD_MAX_SIZE_OTHER:
messages.error(request, _('Please do not upload files larger than 10 MB.'))
return redirect(reverse('control:event.orders.import', kwargs={
return redirect_to_url(reverse('control:event.orders.import', kwargs={
'event': request.event.slug,
'organizer': request.organizer.slug,
}))