CGM_Public/pretix_original
2
0
Fork 1
mirror of https://github.com/pretix/pretix.git synced 2026-05-06 15:24:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

[SECURITY] Bind relevant cached file downloads to the current session

Browse Source
This commit is contained in:
Raphael Michel
2020-12-18 19:17:23 +01:00
parent a3dd015c23
commit c60a25f2bc
11 changed files with 42 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/pretix/control/views/orders.py
View File

@@ -2064,7 +2064,7 @@ class ExportDoView(EventPermissionRequiredMixin, ExportMixin, AsyncAction, View)
messages.error(self.request, _('There was a problem processing your input. See below for error details.'))
return self.get(request, *args, **kwargs)
cf = CachedFile()
cf = CachedFile(web_download=True, session_key=request.session.session_key)
cf.date = now()
cf.expires = now() + timedelta(days=3)
cf.save()

2
src/pretix/control/views/organizer.py
View File

@@ -1242,7 +1242,7 @@ class ExportDoView(OrganizerPermissionRequiredMixin, ExportMixin, AsyncAction, V
messages.error(self.request, _('There was a problem processing your input. See below for error details.'))
return self.get(request, *args, **kwargs)
cf = CachedFile()
cf = CachedFile(web_download=True, session_key=request.session.session_key)
cf.date = now()
cf.expires = now() + timedelta(days=3)
cf.save()

4
src/pretix/control/views/pdf.py
View File

@@ -137,7 +137,7 @@ class BaseEditorView(EventPermissionRequiredMixin, TemplateView):
buffer = BytesIO()
p.write(buffer)
buffer.seek(0)
c = CachedFile()
c = CachedFile(web_download=True)
c.expires = now() + timedelta(days=7)
c.date = now()
c.filename = 'background_preview.pdf'
@@ -162,7 +162,7 @@ class BaseEditorView(EventPermissionRequiredMixin, TemplateView):
"status": "error",
"error": error
})
c = CachedFile()
c = CachedFile(web_download=True)
c.expires = now() + timedelta(days=7)
c.date = now()
c.filename = 'background_preview.pdf'

2
src/pretix/control/views/shredder.py
View File

@@ -75,7 +75,7 @@ class ShredExportView(RecentAuthenticationRequiredMixin, EventPermissionRequired
if constr:
return self.error(ShredError(self.get_error_url()))
return self.do(self.request.event.id, request.POST.getlist("shredder"))
return self.do(self.request.event.id, request.POST.getlist("shredder"), self.request.session.session_key)
class ShredDoView(RecentAuthenticationRequiredMixin, EventPermissionRequiredMixin, ShredderMixin, AsyncAction, View):