Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[bug] Insecure redirect after publishing etc. #421

Open
fsbraun opened this issue Aug 23, 2024 · 2 comments
Open

[bug] Insecure redirect after publishing etc. #421

fsbraun opened this issue Aug 23, 2024 · 2 comments
Labels
good first issue Good for newcomers

Comments

@fsbraun
Copy link
Member

fsbraun commented Aug 23, 2024
edited
Loading

djangocms-versioning implements a set of redirects after a version state change, e.g., redirect to the published version after publishing.

Depending on the site setup, those redirects might fail, e.g. when publishing a child page of an app hooked page. The app hook "swallows" all URLs below its own, and a redirect to the just published page fails with a 404.

djangocms-versioning should first check, if the redirect URLs are reversible and, if not, implement a fallback solution.

Affected IMHO are two instances:

As a fallback, I suggest using the preview URL if conf.ON_PUBLISH_REDIRECT in ("preview", "published"), otherwise the version list url.

To check if the URL is valid, resolve can be used:

try:
    resolve(url)
except Resolver404:
    url = fallback
@fsbraun fsbraun added the good first issue Good for newcomers label Oct 15, 2024
@django-cms django-cms deleted a comment from sourcery-ai bot Nov 30, 2024
@fsbraun
Copy link
Member Author

fsbraun commented Nov 30, 2024

@sourcery-ai plan

@sourcery-ai Sourcery AI
Copy link

sourcery-ai bot commented Nov 30, 2024

Objectives

  • Implement URL validation for redirects after version state changes in djangocms_versioning
  • Add URL resolution check using Django's resolve() function before performing redirects
  • Create a fallback mechanism to use preview URLs when the primary redirect URL is not resolvable
  • Fix redirect handling in VersionAdmin class for 'free' state changes
  • Fix redirect handling after publishing content when get_absolute_url() returns an unresolvable URL
  • Update affected code paths in admin.py to use the new URL validation and fallback system
  • Add tests to verify URL validation and fallback behavior works correctly

Setup commands

File changes

djangocms_versioning/admin.py

  • Add URL validation check before redirecting after publish action
  • Add URL validation check before redirecting after free state changes
  • Add resolve_url helper method to validate URLs using Django's resolve
  • Update publish_view to use preview URL as fallback when publish URL is not resolvable
  • Update unpublish_view to use preview URL as fallback when unpublish URL is not resolvable

djangocms_versioning/helpers.py

  • Add is_url_resolvable helper function to check if a URL can be resolved
  • Update get_preview_url to handle cases where preview URL is not resolvable

Verify commands

  • python manage.py test djangocms_versioning.tests.test_admin

This plan was automatically generated.
Please review the plan carefully and make any necessary adjustments.

@theShinigami theShinigami mentioned this issue Dec 6, 2024
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fsbraun