mirror of
https://github.com/pretix/pretix.git
synced 2026-05-05 15:14:04 +00:00
Cart action views: Improve input validation
This commit is contained in:
Raphael Michel
@@ -111,6 +111,12 @@ class CartActionMixin:
|
|||||||
|
|
||||||
parts = key.split("_")
|
parts = key.split("_")
|
||||||
price = self.request.POST.get('price_' + "_".join(parts[1:]), "")
|
price = self.request.POST.get('price_' + "_".join(parts[1:]), "")
|
||||||
|
subevent = None
|
||||||
|
if 'subevent' in self.request.POST:
|
||||||
|
try:
|
||||||
|
subevent = int(self.request.POST.get('subevent'))
|
||||||
|
except ValueError:
|
||||||
|
pass
|
||||||
|
|
||||||
if key.startswith('seat_'):
|
if key.startswith('seat_'):
|
||||||
try:
|
try:
|
||||||
@@ -121,7 +127,7 @@ class CartActionMixin:
|
|||||||
'seat': value,
|
'seat': value,
|
||||||
'price': price,
|
'price': price,
|
||||||
'voucher': voucher,
|
'voucher': voucher,
|
||||||
'subevent': self.request.POST.get("subevent")
|
'subevent': subevent
|
||||||
}
|
}
|
||||||
except ValueError:
|
except ValueError:
|
||||||
raise CartError(_('Please enter numbers only.'))
|
raise CartError(_('Please enter numbers only.'))
|
||||||
@@ -143,7 +149,7 @@ class CartActionMixin:
|
|||||||
'count': amount,
|
'count': amount,
|
||||||
'price': price,
|
'price': price,
|
||||||
'voucher': voucher,
|
'voucher': voucher,
|
||||||
'subevent': self.request.POST.get("subevent")
|
'subevent': subevent
|
||||||
}
|
}
|
||||||
except ValueError:
|
except ValueError:
|
||||||
raise CartError(_('Please enter numbers only.'))
|
raise CartError(_('Please enter numbers only.'))
|
||||||
@@ -155,7 +161,7 @@ class CartActionMixin:
|
|||||||
'count': amount,
|
'count': amount,
|
||||||
'price': price,
|
'price': price,
|
||||||
'voucher': voucher,
|
'voucher': voucher,
|
||||||
'subevent': self.request.POST.get("subevent")
|
'subevent': subevent
|
||||||
}
|
}
|
||||||
except ValueError:
|
except ValueError:
|
||||||
raise CartError(_('Please enter numbers only.'))
|
raise CartError(_('Please enter numbers only.'))
|
||||||
@@ -380,8 +386,11 @@ class CartRemove(EventViewMixin, CartActionMixin, AsyncAction, View):
|
|||||||
|
|
||||||
def post(self, request, *args, **kwargs):
|
def post(self, request, *args, **kwargs):
|
||||||
if 'id' in request.POST:
|
if 'id' in request.POST:
|
||||||
return self.do(self.request.event.id, request.POST.get('id'), get_or_create_cart_id(self.request),
|
try:
|
||||||
translation.get_language(), request.sales_channel.identifier)
|
return self.do(self.request.event.id, int(request.POST.get('id')), get_or_create_cart_id(self.request),
|
||||||
|
translation.get_language(), request.sales_channel.identifier)
|
||||||
|
except ValueError:
|
||||||
|
return redirect(self.get_error_url())
|
||||||
else:
|
else:
|
||||||
if 'ajax' in self.request.GET or 'ajax' in self.request.POST:
|
if 'ajax' in self.request.GET or 'ajax' in self.request.POST:
|
||||||
return JsonResponse({
|
return JsonResponse({
|
||||||
|
|||||||
Reference in New Issue
Block a user