dashboard: don't allow GET request to autotile (#45053)

2020-07-11 22:56:24 +02:00 · 2020-07-11 22:56:24 +02:00 · 24980ab6fe
parent 3e97633723
commit 24980ab6fe
2 changed files with 8 additions and 1 deletions
--- a/combo/apps/dashboard/views.py
+++ b/combo/apps/dashboard/views.py
@ -21,7 +21,7 @@ from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import PermissionDenied
 from django.urls import reverse
 from django.db.models import Max, Min
-from django.http import Http404, HttpResponse, HttpResponseBadRequest, HttpResponseRedirect
+from django.http import Http404, HttpResponse, HttpResponseBadRequest, HttpResponseRedirect, HttpResponseNotAllowed
 from django.utils.encoding import force_text
 from django.views.decorators.csrf import csrf_exempt
 from django.views.generic import View
@ -111,6 +111,9 @@ dashboard_remove_tile = DashboardRemoveTileView.as_view()

@csrf_exempt
 def dashboard_auto_tile(request, *args, **kwargs):
+    if request.method != 'POST':
+        return HttpResponseNotAllowed(['post'])
+
    dashboard = DashboardCell.objects.all()[0]
    cell = ConfigJsonCell(key=kwargs.get('key'), order=1,
            page_id=dashboard.page_id, placeholder='_auto_tile')
--- a/tests/test_dashboard.py
+++ b/tests/test_dashboard.py
@ -214,6 +214,10 @@ def test_auto_tile(app, site):
                    params=json.dumps({'var2': 'two'}),
                    content_type='application/json', status=400)

+            # and with a GET instead of POST
+            resp = app.get(reverse('combo-dashboard-auto-tile', kwargs={'key': 'test-config-json-cell'}),
+                    status=405)
+

 def test_clean_autotiles(app, site):
    appconfig = apps.get_app_config('dashboard')