Prevented one form of DoS attack by limiting number of tags in query to 6.

[wolnelektury.git] / apps / catalogue / views.py

diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py
index ad9bde7..d8a61e3 100644 (file)
--- a/apps/catalogue/views.py
+++ b/apps/catalogue/views.py
@@ -71,12 +71,12 @@ def tags_starting_with(request):
 
 def main_page(request):    
     if request.user.is_authenticated():
-        extra_where = '(NOT catalogue_tag.category = "set" OR catalogue_tag.user_id = %d)' % request.user.id
-    else:
-        extra_where = 'NOT catalogue_tag.category = "set"'
+        shelves = models.Tag.objects.filter(category='set', user=request.user)
+        new_set_form = forms.NewSetForm()
+    extra_where = 'NOT catalogue_tag.category = "set"'
     tags = models.Tag.objects.usage_for_model(models.Book, counts=True, extra={'where': [extra_where]})
     fragment_tags = models.Tag.objects.usage_for_model(models.Fragment, counts=True,
-        extra={'where': ['catalogue_tag.category = "theme"']})
+        extra={'where': ['catalogue_tag.category = "theme"'] + [extra_where]})
     categories = split_tags(tags)
     
     form = forms.SearchForm()
@@ -97,20 +97,22 @@ def book_list(request):
 
 
 def tagged_object_list(request, tags=''):
+    # Prevent DoS attacks on our database
+    if len(tags.split('/')) > 6:
+        raise Http404
+        
     try:
         tags = models.Tag.get_tag_list(tags)
     except models.Tag.DoesNotExist:
         raise Http404
     
     model = models.Book
+    shelf_is_set = (len(tags) == 1 and tags[0].category == 'set')
     theme_is_set = any(tag.category == 'theme' for tag in tags)
     if theme_is_set:
         model = models.Fragment
-    
-    if request.user.is_authenticated():
-        extra_where = '(NOT catalogue_tag.category = "set" OR catalogue_tag.user_id = %d)' % request.user.id
-    else:
-        extra_where = 'NOT catalogue_tag.category = "set"'
+
+    extra_where = 'NOT catalogue_tag.category = "set"'
     related_tags = models.Tag.objects.related_for_model(tags, model, counts=True, extra={'where': [extra_where]})
     categories = split_tags(related_tags)
 
@@ -120,7 +122,7 @@ def tagged_object_list(request, tags=''):
         queryset_or_model=model,
         tags=tags,
         template_name='catalogue/tagged_object_list.html',
-        extra_context = {'categories': categories },
+        extra_context = {'categories': categories, 'shelf_is_set': shelf_is_set },
     )
 
 
@@ -129,6 +131,7 @@ def book_detail(request, slug):
     tags = list(book.tags.filter(~Q(category='set')))
     categories = split_tags(tags)
     
+    form = forms.SearchForm()
     return render_to_response('catalogue/book_detail.html', locals(),
         context_instance=RequestContext(request))
 
@@ -221,7 +224,11 @@ def new_set(request):
     new_set_form = forms.NewSetForm(request.POST)
     if new_set_form.is_valid():
         new_set = new_set_form.save(request.user)
-        return HttpResponse(u'<p>Półka <strong>%s</strong> została utworzona</p>' % new_set)
+        
+        if request.is_ajax():
+            return HttpResponse(u'<p>Półka <strong>%s</strong> została utworzona</p>' % new_set)
+        else:
+            return HttpResponseRedirect('/')
     
     return render_to_response('catalogue/book_sets.html', locals(),
             context_instance=RequestContext(request))
@@ -232,9 +239,13 @@ def new_set(request):
 def delete_shelf(request, slug):
     user_set = get_object_or_404(models.Tag, slug=slug, category='set', user=request.user)
     user_set.delete()
-    return HttpResponse(u'<p>Półka <strong>%s</strong> została usunięta</p>' % user_set.name)
-    
     
+    if request.is_ajax():
+        return HttpResponse(u'<p>Półka <strong>%s</strong> została usunięta</p>' % user_set.name)
+    else:
+        return HttpResponseRedirect('/')
+
+
 @login_required
 def user_shelves(request):
     shelves = models.Tag.objects.filter(category='set', user=request.user)