X-Git-Url: https://git.mdrn.pl/wolnelektury.git/blobdiff_plain/108c9cc4636b04f4ba3f0edd67c26acbdca36984..05de464fd2f287d8ea3a26560c18afcac32d7f1e:/apps/catalogue/views.py diff --git a/apps/catalogue/views.py b/apps/catalogue/views.py index 3b9f31d16..d8a61e35e 100644 --- a/apps/catalogue/views.py +++ b/apps/catalogue/views.py @@ -73,16 +73,13 @@ def main_page(request): if request.user.is_authenticated(): shelves = models.Tag.objects.filter(category='set', user=request.user) new_set_form = forms.NewSetForm() - extra_where = '((NOT catalogue_tag.category = "set" AND catalogue_tag.main_page = 1) OR catalogue_tag.user_id = %d)' % request.user.id - else: - extra_where = 'NOT catalogue_tag.category = "set" AND catalogue_tag.main_page = 1' + extra_where = 'NOT catalogue_tag.category = "set"' tags = models.Tag.objects.usage_for_model(models.Book, counts=True, extra={'where': [extra_where]}) fragment_tags = models.Tag.objects.usage_for_model(models.Fragment, counts=True, extra={'where': ['catalogue_tag.category = "theme"'] + [extra_where]}) categories = split_tags(tags) form = forms.SearchForm() - return render_to_response('catalogue/main_page.html', locals(), context_instance=RequestContext(request)) @@ -100,20 +97,22 @@ def book_list(request): def tagged_object_list(request, tags=''): + # Prevent DoS attacks on our database + if len(tags.split('/')) > 6: + raise Http404 + try: tags = models.Tag.get_tag_list(tags) except models.Tag.DoesNotExist: raise Http404 model = models.Book + shelf_is_set = (len(tags) == 1 and tags[0].category == 'set') theme_is_set = any(tag.category == 'theme' for tag in tags) if theme_is_set: model = models.Fragment - - if request.user.is_authenticated(): - extra_where = '(NOT catalogue_tag.category = "set" OR catalogue_tag.user_id = %d)' % request.user.id - else: - extra_where = 'NOT catalogue_tag.category = "set"' + + extra_where = 'NOT catalogue_tag.category = "set"' related_tags = models.Tag.objects.related_for_model(tags, model, counts=True, extra={'where': [extra_where]}) categories = split_tags(related_tags) @@ -123,7 +122,7 @@ def tagged_object_list(request, tags=''): queryset_or_model=model, tags=tags, template_name='catalogue/tagged_object_list.html', - extra_context = {'categories': categories }, + extra_context = {'categories': categories, 'shelf_is_set': shelf_is_set }, )