better user data validation for gridftp upload view
authorMaciej Tronowski <mtro@man.poznan.pl>
Mon, 20 Apr 2015 15:27:07 +0000 (17:27 +0200)
committerMaciej Tronowski <mtro@man.poznan.pl>
Mon, 20 Apr 2015 15:27:07 +0000 (17:27 +0200)
filex/templates/filex/upload.html
qcg/views.py

index a25be47..346fc1d 100644 (file)
@@ -1,6 +1,6 @@
 <header class="container-fluid">
     <h3>{% block title %}Wgrywanie plików{% endblock %}</h3>
-    <p id="path"><span class="text-muted">Lokalizacja:</span> {{ host }}{{ path }}</p>
+    <p id="path"><span class="text-muted">Lokalizacja:</span> {{ host }}{{ sep }}{{ path }}</p>
 </header>
 
 <form enctype="multipart/form-data" method="post" action="{{ url }}" hidden>
index 3f3532e..adc4676 100644 (file)
@@ -5,6 +5,7 @@ from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth import REDIRECT_FIELD_NAME
 from django.contrib.auth.decorators import login_required
+from django.core.exceptions import SuspiciousOperation
 from django.core.urlresolvers import reverse
 from django.db.models import Q
 from django.http import HttpResponse, QueryDict
@@ -15,7 +16,7 @@ from django.utils.timezone import UTC
 from django_openid_auth.views import make_consumer
 from openid.extensions import ax
 
-from filex.forms import HostPathNameForm, RenameForm, ArchiveForm
+from filex.forms import HostPathNameForm, RenameForm, ArchiveForm, HostPathForm
 from qcg.forms import FiltersForm, ColumnsForm, JobDescriptionForm, EnvFormSet
 from qcg.utils import paginator_context
 from qcg.service import update_user_data, submit_job
@@ -187,8 +188,14 @@ def gridftp(request):
                   {'new_dir_form': HostPathNameForm(), 'rename_form': RenameForm(),  'archive_form': ArchiveForm()})
 
 
+@login_required
 def gridftp_upload(request):
-    # TODO GET data validation
+    form = HostPathForm(request.GET)
+
+    if not form.is_valid():
+        raise SuspiciousOperation('Invalid parameters for `gridftp_upload`!')
+
     return render(request, 'qcg/gridftp_upload.html',
-                  {'url': reverse('filex:upload') + '?' + request.GET.urlencode(safe='/'),
-                   'host': request.GET.get('host'), 'path': request.GET.get('path')})
+                  {'url': reverse('filex:upload') + '?' + urlencode(form.cleaned_data),
+                   'host': form.cleaned_data['host'], 'path': form.cleaned_data['path'],
+                   'sep': '/' if form.cleaned_data['path'].startswith('~') else ''})