better user data validation for gridftp upload view

[qcg-portal.git] / qcg / views.py

diff --git a/qcg/views.py b/qcg/views.py
index 3f3532e..adc4676 100644 (file)
--- a/qcg/views.py
+++ b/qcg/views.py
@@ -5,6 +5,7 @@ from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.contrib.auth.decorators import login_required
+from django.core.exceptions import SuspiciousOperation
 from django.core.urlresolvers import reverse
 from django.db.models import Q
 from django.http import HttpResponse, QueryDict
@@ -15,7 +16,7 @@ from django.utils.timezone import UTC
 from django_openid_auth.views import make_consumer
 from openid.extensions import ax
 
-from filex.forms import HostPathNameForm, RenameForm, ArchiveForm
+from filex.forms import HostPathNameForm, RenameForm, ArchiveForm, HostPathForm
 from qcg.forms import FiltersForm, ColumnsForm, JobDescriptionForm, EnvFormSet
 from qcg.utils import paginator_context
 from qcg.service import update_user_data, submit_job
@@ -187,8 +188,14 @@ def gridftp(request):
                   {'new_dir_form': HostPathNameForm(), 'rename_form': RenameForm(),  'archive_form': ArchiveForm()})
 
 
+@login_required
 def gridftp_upload(request):
-    # TODO GET data validation
+    form = HostPathForm(request.GET)
+
+    if not form.is_valid():
+        raise SuspiciousOperation('Invalid parameters for `gridftp_upload`!')
+
     return render(request, 'qcg/gridftp_upload.html',
-                  {'url': reverse('filex:upload') + '?' + request.GET.urlencode(safe='/'),
-                   'host': request.GET.get('host'), 'path': request.GET.get('path')})
+                  {'url': reverse('filex:upload') + '?' + urlencode(form.cleaned_data),
+                   'host': form.cleaned_data['host'], 'path': form.cleaned_data['path'],
+                   'sep': '/' if form.cleaned_data['path'].startswith('~') else ''})