| |
@@ -704,6 +704,8 @@
|
| |
""" Presents the settings of the project.
|
| |
"""
|
| |
if admin_session_timedout():
|
| |
+ if flask.request.method == 'POST':
|
| |
+ flask.flash('Action canceled, try it again', 'error')
|
| |
return flask.redirect(
|
| |
flask.url_for('auth_login', next=flask.request.url))
|
| |
|
| |
@@ -742,6 +744,9 @@
|
| |
flask.flash(message)
|
| |
return flask.redirect(flask.url_for(
|
| |
'view_repo', username=username, repo=repo.name))
|
| |
+ except pagure.exceptions.PagureException as msg:
|
| |
+ SESSION.rollback()
|
| |
+ flask.flash(msg, 'error')
|
| |
except SQLAlchemyError, err: # pragma: no cover
|
| |
SESSION.rollback()
|
| |
flask.flash(str(err), 'error')
|
| |
@@ -764,6 +769,13 @@
|
| |
def update_project(repo, username=None):
|
| |
""" Update the description of a project.
|
| |
"""
|
| |
+ if admin_session_timedout():
|
| |
+ flask.flash('Action canceled, try it again', 'error')
|
| |
+ url = flask.url_for(
|
| |
+ 'view_settings', username=username, repo=repo.name)
|
| |
+ return flask.redirect(
|
| |
+ flask.url_for('auth_login', next=url))
|
| |
+
|
| |
repo = pagure.lib.get_project(SESSION, repo, user=username)
|
| |
|
| |
if not repo:
|
| |
@@ -799,8 +811,11 @@
|
| |
""" Delete the present project.
|
| |
"""
|
| |
if admin_session_timedout():
|
| |
+ flask.flash('Action canceled, try it again', 'error')
|
| |
+ url = flask.url_for(
|
| |
+ 'view_settings', username=username, repo=repo)
|
| |
return flask.redirect(
|
| |
- flask.url_for('auth_login', next=flask.request.url))
|
| |
+ flask.url_for('auth_login', next=url))
|
| |
|
| |
repo = pagure.lib.get_project(SESSION, repo, user=username)
|
| |
|
| |
@@ -853,8 +868,11 @@
|
| |
""" Re-generate a hook token for the present project.
|
| |
"""
|
| |
if admin_session_timedout():
|
| |
+ flask.flash('Action canceled, try it again', 'error')
|
| |
+ url = flask.url_for(
|
| |
+ 'view_settings', username=username, repo=repo)
|
| |
return flask.redirect(
|
| |
- flask.url_for('auth_login', next=flask.request.url))
|
| |
+ flask.url_for('auth_login', next=url))
|
| |
|
| |
repo = pagure.lib.get_project(SESSION, repo, user=username)
|
| |
|
| |
@@ -890,8 +908,11 @@
|
| |
""" Remove the specified user from the project.
|
| |
"""
|
| |
if admin_session_timedout():
|
| |
+ flask.flash('Action canceled, try it again', 'error')
|
| |
+ url = flask.url_for(
|
| |
+ 'view_settings', username=username, repo=repo)
|
| |
return flask.redirect(
|
| |
- flask.url_for('auth_login', next=flask.request.url))
|
| |
+ flask.url_for('auth_login', next=url))
|
| |
|
| |
repo = pagure.lib.get_project(SESSION, repo, user=username)
|
| |
|
| |
@@ -942,6 +963,8 @@
|
| |
""" Add the specified user from the project.
|
| |
"""
|
| |
if admin_session_timedout():
|
| |
+ if flask.request.method == 'POST':
|
| |
+ flask.flash('Action canceled, try it again', 'error')
|
| |
return flask.redirect(
|
| |
flask.url_for('auth_login', next=flask.request.url))
|
| |
|
| |
@@ -996,6 +1019,8 @@
|
| |
""" Add the specified group from the project.
|
| |
"""
|
| |
if admin_session_timedout():
|
| |
+ if flask.request.method == 'POST':
|
| |
+ flask.flash('Action canceled, try it again', 'error')
|
| |
return flask.redirect(
|
| |
flask.url_for('auth_login', next=flask.request.url))
|
| |
|
| |
@@ -1048,8 +1073,11 @@
|
| |
""" Regenerate the specified git repo with the content in the project.
|
| |
"""
|
| |
if admin_session_timedout():
|
| |
+ flask.flash('Action canceled, try it again', 'error')
|
| |
+ url = flask.url_for(
|
| |
+ 'view_settings', username=username, repo=repo)
|
| |
return flask.redirect(
|
| |
- flask.url_for('auth_login', next=flask.request.url))
|
| |
+ flask.url_for('auth_login', next=url))
|
| |
|
| |
repo = pagure.lib.get_project(SESSION, repo, user=username)
|
| |
|
| |
@@ -1095,6 +1123,8 @@
|
| |
""" Add a token to a specified project.
|
| |
"""
|
| |
if admin_session_timedout():
|
| |
+ if flask.request.method == 'POST':
|
| |
+ flask.flash('Action canceled, try it again', 'error')
|
| |
return flask.redirect(
|
| |
flask.url_for('auth_login', next=flask.request.url))
|
| |
|
| |
@@ -1147,8 +1177,11 @@
|
| |
""" Revokie a token to a specified project.
|
| |
"""
|
| |
if admin_session_timedout():
|
| |
+ flask.flash('Action canceled, try it again', 'error')
|
| |
+ url = flask.url_for(
|
| |
+ 'view_settings', username=username, repo=repo)
|
| |
return flask.redirect(
|
| |
- flask.url_for('auth_login', next=flask.request.url))
|
| |
+ flask.url_for('auth_login', next=url))
|
| |
|
| |
repo = pagure.lib.get_project(SESSION, repo, user=username)
|
| |
|
| |
This method (
no_js(...)
) feels very error prone to me. It misses a lot of cases, for example when the script tag is capitalized or mixed-case. Or when I write<iframe src="javascript:alert('hi');"></iframe>
instead of a plain script tag. Or if I use an<embed>
tag which contains a malicious SVG. Or if I use an<img>
tag with a maliciousonmouseover
attribute and make it really large so people mouse over it on accident.I am still in favor of disabling html input altogether. It is not worth the security risks involved.