dashboard: don't allow GET request to autotile (#45053)
This commit is contained in:
parent
3e97633723
commit
24980ab6fe
|
@ -21,7 +21,7 @@ from django.contrib.contenttypes.models import ContentType
|
|||
from django.core.exceptions import PermissionDenied
|
||||
from django.urls import reverse
|
||||
from django.db.models import Max, Min
|
||||
from django.http import Http404, HttpResponse, HttpResponseBadRequest, HttpResponseRedirect
|
||||
from django.http import Http404, HttpResponse, HttpResponseBadRequest, HttpResponseRedirect, HttpResponseNotAllowed
|
||||
from django.utils.encoding import force_text
|
||||
from django.views.decorators.csrf import csrf_exempt
|
||||
from django.views.generic import View
|
||||
|
@ -111,6 +111,9 @@ dashboard_remove_tile = DashboardRemoveTileView.as_view()
|
|||
|
||||
@csrf_exempt
|
||||
def dashboard_auto_tile(request, *args, **kwargs):
|
||||
if request.method != 'POST':
|
||||
return HttpResponseNotAllowed(['post'])
|
||||
|
||||
dashboard = DashboardCell.objects.all()[0]
|
||||
cell = ConfigJsonCell(key=kwargs.get('key'), order=1,
|
||||
page_id=dashboard.page_id, placeholder='_auto_tile')
|
||||
|
|
|
@ -214,6 +214,10 @@ def test_auto_tile(app, site):
|
|||
params=json.dumps({'var2': 'two'}),
|
||||
content_type='application/json', status=400)
|
||||
|
||||
# and with a GET instead of POST
|
||||
resp = app.get(reverse('combo-dashboard-auto-tile', kwargs={'key': 'test-config-json-cell'}),
|
||||
status=405)
|
||||
|
||||
|
||||
def test_clean_autotiles(app, site):
|
||||
appconfig = apps.get_app_config('dashboard')
|
||||
|
|
Loading…
Reference in New Issue