Skip to content

H
hunter-ht.cn
Commit 8ea728ca by Xu Zhou
Options

增加了所有接口的csrf验证。

parent c130850a
Showing with 42 additions and 44 deletions
hunter/models.py
......@@ -49,7 +49,7 @@ class Publications(models.Model):
isOpen = models.CharField(max_length=5, default='1')
editDateTime = models.DateField(default=timezone.now)
# *Pubs vs *Users
class PubToUser(models.Model):
pubID = models.BigIntegerField()
username = models.CharField(max_length=50)
......
hunter/templates/admin.html
......@@ -11,6 +11,7 @@
<script src="{% static 'jquery.form.js' %}"></script>
<script type="text/javascript" src="{% static 'md/showdown.js' %}"></script>
<script type="text/javascript" src="{% static 'md5.js' %}"></script>
<script type="text/javascript" src="{% static 'common.js' %}" charset="UTF-8"></script>
</head>
<body>
......@@ -234,7 +235,6 @@
data['password']= $('input')[1].value;
data['actiontype']='0'; //0 添加用户 1 删除用户
encryptSend('/operator/', data); // Jsencrypt.do对应服务端处理地址
console.log("add user: username = " + username);
});
});
......
hunter/templates/editArticle.html
......@@ -9,6 +9,7 @@
<link rel="stylesheet" type="text/css" href="{% static 'md/markdown.css' %}">
<script type="text/javascript" src="{% static 'md/showdown.js' %}"></script>
<script type="text/javascript" src="{% static 'bootstrap.min.js' %}"></script>
<script type="text/javascript" src="{% static 'common.js' %}" charset="UTF-8"></script>
</head>
<body>
<nav>
......
hunter/templates/index.html
......@@ -339,15 +339,7 @@
$('#former_member').css('left','-100%');
}
/*
function logout(){
let storage = window.localStorage;
storage['username']="";
storage['password']="";
$('#top_bar').empty();
$('#top_bar').append("<ul><li onclick='login()'>登录</li></ul>");
}
*/
function click_bar(index){
let a_list = document.getElementsByClassName("main_bar");
$(a_list[pre_clicked]).removeClass('active');
......@@ -376,6 +368,7 @@
data:{
"username": username,
"password": hex_md5(password),
'csrfmiddlewaretoken': '{{ csrf_token }}'
},
success:function(response){
console.log(response);
......@@ -392,7 +385,7 @@
}
},
error:function (xhr) {
console.error('something went wrong...');
console.error('login error...');
login_fail("something went wrong...");
}
})
......@@ -424,6 +417,7 @@
dataType:'json',
data:{
"user_id": user_id,
'csrfmiddlewaretoken': '{{ csrf_token }}'
},
success:function(response){
console.log(response);
......
hunter/templates/profile.html
......@@ -6,6 +6,7 @@
{% load static %}
<script src="{% static 'jquery-1.9.1.min.js' %}"></script>
<script type="text/javascript" src="{% static 'md5.js' %}"></script>
<script type="text/javascript" src="{% static 'common.js' %}" charset="UTF-8"></script>
</head>
<style type="text/css">
*{
......@@ -173,7 +174,7 @@
outline:none;
overflow: hidden;
background-size:contain;
background-image: url("/static/hunter/images/add.png");
background-image: url("/static/images/add.png");
}
.dele_edu{
width:110px;
......@@ -183,7 +184,7 @@
width:20px;
height:20px;
border:none;
background-image: url("/static/hunter/images/delete.png");
background-image: url("/static/images/delete.png");
}
......@@ -384,7 +385,7 @@
}
},
error:function (xhr) {
console.error('something went wrong...');
console.error('Modify personal resume failed...');
}
})
}
......
hunter/templates/user.html
......@@ -123,7 +123,7 @@
{% for cve in cve_list %}
<ul id="cveid{{ cve.identifier }}">
<li class="cve_big_text"><a href="{{ cve.url }}" target="_blank">{{ cve.identifier }}</a></li>
<li class="li_right"><button class="dele_img" onclick="deleCVE({{ cve.identifier }})"></button></li>
<li class="li_right"><button class="dele_img" onclick="deleCVE('{{ cve.identifier }}')"></button></li>
<li class="li_right"><button class="edit_img" onclick="create_cve_edit_html(this)"></button></li>
<li class="li_right">{{ cve.datetime }}</li>
<li class="li_right">{{ cve.bugType }}</li>
......@@ -193,9 +193,10 @@
</div>
</footer>
<script type="text/javascript" src="{% static 'bootstrap.min.js' %}"></script>
<script type="text/javascript" src="{% static 'bootstrap-datetimepicker.js' %}" charset="UTF-8"></script>
<script type="text/javascript" src="{% static 'bootstrap-datetimepicker.zh-CN.js' %}" charset="UTF-8"></script>
<script type="text/javascript">
<script type="text/javascript" src="{% static 'bootstrap-datetimepicker.js' %}" charset="UTF-8"></script>
<script type="text/javascript" src="{% static 'bootstrap-datetimepicker.zh-CN.js' %}" charset="UTF-8"></script>
<script type="text/javascript" src="{% static 'common.js' %}" charset="UTF-8"></script>
<script type="text/javascript">
$('.form_datetime').datetimepicker({
//language: 'fr',
weekStart: 1,
......@@ -230,7 +231,6 @@
</script>
<script type="text/javascript">
function postAdminPage(){
console.log("call function postAdminPage");
$.post("../../ht/admin/", { username: "John", time: "2pm" } ); //Your values here..
......@@ -491,7 +491,7 @@
let date = $('#date_input').val();
let software = $("input[name='software']").val();
let url_cve = $("input[name='url_cve']").val();
if(url_cve.indexOf('http')===-1){
if(url_cve.indexOf('http') === -1){
url_cve='http://'+url_cve;
}
let formatData = new FormData();
......@@ -500,7 +500,8 @@
formatData.append("bugType", bugtype);
formatData.append("software", software);
formatData.append("date", date);
formatData.append("url",url_cve);
formatData.append("url", url_cve);
$.ajax({
url:"{% url 'hunter:add_cve' %} ",
......
hunter/templates/write.html
......@@ -9,6 +9,7 @@
<link rel="stylesheet" type="text/css" href="{% static 'md/markdown.css' %}">
<script type="text/javascript" src="{% static 'md/showdown.js' %}"></script>
<script type="text/javascript" src="{% static 'bootstrap.min.js' %}"></script>
<script type="text/javascript" src="{% static 'common.js' %}" charset="UTF-8"></script>
</head>
<body>
<nav>
......
hunter/views/view_api.py
......@@ -17,7 +17,7 @@ from django.db.models.aggregates import Count
from django.db.models import Count
from django.views.decorators.csrf import ensure_csrf_cookie
@csrf_exempt
def login(request):
username = request.POST['username']
password = request.POST['password']
......@@ -36,7 +36,7 @@ def login(request):
response = JsonResponse({"message": "密码错误"})
return response
@csrf_exempt
def logout(request):
print('call logout')
request.session['user_id'] = None
......@@ -44,7 +44,7 @@ def logout(request):
return response
@csrf_exempt
def profile_submit(request):
userID=request.POST["userID"]
name_hanzi=request.POST["name_hanzi"]
......@@ -86,7 +86,7 @@ def profile_submit(request):
return JsonResponse({"message":0,'error':e})
@csrf_exempt
def save_edit_art(request):
userID = request.POST.get('userID', '')
title = request.POST.get('title', '')
......@@ -109,7 +109,7 @@ def save_edit_art(request):
if int(is_have_file) > 0:
myfile = request.FILES['myfile']
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
destination = os.path.join(BASE_DIR, 'hunter', 'static', 'articles', myfile.name)
destination = os.path.join(BASE_DIR, 'static', 'articles', myfile.name)
if os.path.exists(destination):
os.remove(destination)
with open(destination, 'wb+') as dest:
......@@ -161,7 +161,7 @@ def add_url_article(request):
response = JsonResponse({"message": 0, 'error': '数据库错误'})
return response
@csrf_exempt
def delete_publication(request):
pub_id = request.POST['pub_id']
print(pub_id)
......@@ -175,7 +175,7 @@ def delete_publication(request):
return response
@csrf_exempt
def delete_cve(request):
cve_id = request.POST['cve_id']
try:
......@@ -187,7 +187,7 @@ def delete_cve(request):
return response
@csrf_exempt
def delete_article(request):
article_id = request.POST['article_id']
try:
......@@ -199,7 +199,7 @@ def delete_article(request):
return response
@csrf_exempt
def change_pub_status(request):
pubID = request.POST['pubID']
isOpen = request.POST['isOpen']
......@@ -210,7 +210,7 @@ def change_pub_status(request):
except ObjectDoesNotExist as e:
return JsonResponse({'message':0,'error':e})
@csrf_exempt
def add_publication(request):
title = request.POST['title']
print(title)
......@@ -234,7 +234,7 @@ def add_publication(request):
else:
pubID = Publications.objects.last().pubID+1
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
destination = os.path.join(BASE_DIR,'hunter', 'static', 'publications', myfile.name)
destination = os.path.join(BASE_DIR, 'static', 'publications', myfile.name)
if os.path.exists(destination):
os.remove(destination)
with open(destination,'wb+') as dest:
......@@ -291,7 +291,7 @@ def add_publication(request):
return response
@csrf_exempt
def edit_publication(request):
pubID = request.POST['pubID']
title = request.POST['title']
......@@ -311,7 +311,7 @@ def edit_publication(request):
if isHaveFile == '1':
myfile = request.FILES['myfile']
BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
destination = os.path.join(BASE_DIR,'hunter', 'static', 'publications', myfile.name)
destination = os.path.join(BASE_DIR, 'static', 'publications', myfile.name)
if os.path.exists(destination):
os.remove(destination)
with open(destination,'wb+') as dest:
......@@ -378,7 +378,7 @@ def edit_publication(request):
return JsonResponse({"message": 0})
return response
@csrf_exempt
def add_cve(request):
owner = request.POST['owner']
bugType = request.POST['bugType']
......@@ -398,7 +398,7 @@ def add_cve(request):
return response
@csrf_exempt
def edit_cve(request):
bugType = request.POST['bugType']
identifier = request.POST['cve_id']
......@@ -414,7 +414,7 @@ def edit_cve(request):
response = JsonResponse({"message": 0})
return response
@csrf_exempt
def update_article(request):
art_id = request.POST['art_id']
print('update_article, art_id = ', art_id)
......@@ -428,6 +428,6 @@ def update_article(request):
return JsonResponse({"message": "failed"})
@csrf_exempt
def add_article(request):
return 0
\ No newline at end of file
hunter/views/view_page.py
......@@ -137,9 +137,11 @@ def user_html(request, user_id):
u = {'userID': user_id, 'name': username}
my_publication_year_list = {}
pub_ids = PubToUser.objects.filter(userID=user_id).all().values('pubID')
print("user_html publications: ")
for pub_id in pub_ids:
print(pub_id)
#print(pub_id, )
pub = get_object_or_404(Publications, pk=pub_id['pubID'])
print(pub.pubID, pub.title)
year = str(pub.date)[0:4]
pub.date = str(pub.date)[5:10]
pub.link = pub.link.split('/')[-1]
......@@ -155,6 +157,7 @@ def user_html(request, user_id):
print(publication_year_list)
print(my_publication_year_list)
my_article_list = Articles.objects.filter(authorID=user_id).order_by('-editDateTime')
my_article_year_list = {}
for art in my_article_list:
......@@ -323,9 +326,6 @@ def profile_edit(request, user_id):
def check_admin_privilage(user_id):
try:
user_id = int(user_id)
......@@ -386,7 +386,6 @@ def user_score_records(request):
records = ScoreRecords.objects.filter(userID = user_id);
return render(request,"user_score.html", locals())
@csrf_exempt
def operator(request):
message = {}
print("cal api operator.")
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment