Autorise uniquement les requêtes POST pour signaler une faute dans un…

… contenu (#6330) Et s'assure que le paramètre `target` existe avant de l'utiliser.
zestedesavoir · Jun 16, 2022 · d43fa12 · d43fa12
1 parent d861945
commit d43fa12
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/zds/tutorialv2/tests/tests_views/tests_content.py b/zds/tutorialv2/tests/tests_views/tests_content.py
@@ -9,6 +9,7 @@
 from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth.models import Group
+from django.http import HttpResponseNotAllowed
 from django.urls import reverse
 from django.test import TestCase
 from django.utils.translation import gettext_lazy as _
@@ -2760,6 +2761,22 @@ def test_warn_typo(self):
 
         self.client.force_login(self.user_guest)
 
+        # check the request to warn about a typo can't be a GET
+        result = self.client.get(
+            reverse("content:warn-typo") + f"?pk={tuto.pk}",
+            {"pk": tuto.pk, "version": sha_beta, "text": typo_text, "target": ""},
+            follow=True,
+        )
+        self.assertEqual(result.status_code, HttpResponseNotAllowed.status_code)
+
+        # check the 'target' field in the request isn't mandatory
+        result = self.client.post(
+            reverse("content:warn-typo") + f"?pk={tuto.pk}",
+            {"pk": tuto.pk, "version": sha_beta, "text": typo_text},
+            follow=True,
+        )
+        self.assertEqual(result.status_code, 200)
+
         # check if user can warn typo in tutorial
         result = self.client.post(
             reverse("content:warn-typo") + f"?pk={tuto.pk}",

diff --git a/zds/tutorialv2/views/misc.py b/zds/tutorialv2/views/misc.py
@@ -80,6 +80,7 @@ class WarnTypo(SingleContentFormViewMixin):
     must_be_author = False
     only_draft_version = False
 
+    http_method_names = ["post"]
     object = None
 
     def get_form_kwargs(self):
@@ -90,7 +91,7 @@ def get_form_kwargs(self):
         kwargs["content"] = versioned
         kwargs["targeted"] = versioned
 
-        if self.request.POST["target"]:
+        if "target" in self.request.POST and self.request.POST["target"] != "":
             kwargs["targeted"] = search_container_or_404(versioned, self.request.POST["target"])
 
         kwargs["public"] = True