Fix server-side XSS security warning
This commit is contained in:
Moritz Pflanzer
parent
1066c1bde1
commit
85b180c9fc
@ -136,9 +136,18 @@ class TestApiProfile(DirectoriesMixin, APITestCase):
|
|||||||
WHEN:
|
WHEN:
|
||||||
- API call is made to disconnect a social account
|
- API call is made to disconnect a social account
|
||||||
THEN:
|
THEN:
|
||||||
- Social account is deleted from the user
|
- Social account is deleted from the user or request fails
|
||||||
"""
|
"""
|
||||||
|
|
||||||
|
# Test with invalid id
|
||||||
|
response = self.client.post(
|
||||||
|
f"{self.ENDPOINT}disconnect_social_account/",
|
||||||
|
{"id": -1},
|
||||||
|
)
|
||||||
|
|
||||||
|
self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST)
|
||||||
|
|
||||||
|
# Test with valid id
|
||||||
social_account_id = self.user.socialaccount_set.all()[0].pk
|
social_account_id = self.user.socialaccount_set.all()[0].pk
|
||||||
|
|
||||||
response = self.client.post(
|
response = self.client.post(
|
||||||
@ -147,7 +156,7 @@ class TestApiProfile(DirectoriesMixin, APITestCase):
|
|||||||
)
|
)
|
||||||
|
|
||||||
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
self.assertEqual(response.status_code, status.HTTP_200_OK)
|
||||||
self.assertEqual(response.data, str(social_account_id))
|
self.assertEqual(response.data, social_account_id)
|
||||||
|
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
len(self.user.socialaccount_set.filter(pk=social_account_id)),
|
len(self.user.socialaccount_set.filter(pk=social_account_id)),
|
||||||
|
|||||||
@ -2,11 +2,13 @@ import os
|
|||||||
from collections import OrderedDict
|
from collections import OrderedDict
|
||||||
|
|
||||||
from allauth.socialaccount.adapter import get_adapter
|
from allauth.socialaccount.adapter import get_adapter
|
||||||
|
from allauth.socialaccount.models import SocialAccount
|
||||||
from django.contrib import messages
|
from django.contrib import messages
|
||||||
from django.contrib.auth.models import Group
|
from django.contrib.auth.models import Group
|
||||||
from django.contrib.auth.models import User
|
from django.contrib.auth.models import User
|
||||||
from django.db.models.functions import Lower
|
from django.db.models.functions import Lower
|
||||||
from django.http import HttpResponse
|
from django.http import HttpResponse
|
||||||
|
from django.http import HttpResponseBadRequest
|
||||||
from django.views.generic import View
|
from django.views.generic import View
|
||||||
from django_filters.rest_framework import DjangoFilterBackend
|
from django_filters.rest_framework import DjangoFilterBackend
|
||||||
from rest_framework.authtoken.models import Token
|
from rest_framework.authtoken.models import Token
|
||||||
@ -183,11 +185,13 @@ class DisconnectSocialAccountView(GenericAPIView):
|
|||||||
def post(self, request, *args, **kwargs):
|
def post(self, request, *args, **kwargs):
|
||||||
user = self.request.user
|
user = self.request.user
|
||||||
|
|
||||||
user.socialaccount_set.get(pk=request.data["id"]).delete()
|
try:
|
||||||
|
account = user.socialaccount_set.get(pk=request.data["id"])
|
||||||
return Response(
|
account_id = account.id
|
||||||
request.data["id"],
|
account.delete()
|
||||||
)
|
return Response(account_id)
|
||||||
|
except SocialAccount.DoesNotExist:
|
||||||
|
return HttpResponseBadRequest("Social account not found")
|
||||||
|
|
||||||
|
|
||||||
class SocialAccountProvidersView(APIView):
|
class SocialAccountProvidersView(APIView):
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user