entrouvert
/
authentic
16
0
Fork 0
Code Issues Pull Requests 32 Releases Activity

attribute_kinds: check types at date (de)serialization time (#76883)
gitea/authentic/pipeline/head This commit looks good Details 

Poorly-configured authn backends can lead to erroneous date data types sent
to profile attributes. Date attribute (de)serialization should perform
type checks.
This commit is contained in:
Paul Marillonnet 2023-04-24 09:59:13 +02:00
parent 8c79a9ce88
commit 7c158f96bf
2 changed files with 32 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/authentic2/attribute_kinds.py
View File

@ -246,6 +246,18 @@ class ProfileImageFile:
return default_storage.url(self.name)
def date_serialize(date):
if date and isinstance(date, datetime.date):
return date.isoformat()
return ''
def date_deserialize(iso_string):
if iso_string and isinstance(iso_string, str):
return datetime.datetime.strptime(iso_string, '%Y-%m-%d').date()
return None
def profile_image_serialize(uploadedfile):
if not uploadedfile:
return ''
@ -352,16 +364,16 @@ DEFAULT_ATTRIBUTE_KINDS = [
'label': _('date'),
'name': 'date',
'field_class': DateField,
'serialize': lambda x: x and x.isoformat(),
'deserialize': lambda x: x and datetime.datetime.strptime(x, '%Y-%m-%d').date(),
'serialize': date_serialize,
'deserialize': date_deserialize,
'rest_framework_field_class': DateRestField,
},
{
'label': _('birthdate'),
'name': 'birthdate',
'field_class': BirthdateField,
'serialize': lambda x: x and x.isoformat(),
'deserialize': lambda x: x and datetime.datetime.strptime(x, '%Y-%m-%d').date(),
'serialize': date_serialize,
'deserialize': date_deserialize,
'rest_framework_field_class': BirthdateRestField,
},
{

16
tests/test_attribute_kinds.py
View File

@ -509,6 +509,22 @@ def test_birthdate_api(db, app, admin, mailoutbox, freezer):
qs.delete()
def test_birthdate_buggy_type(db, admin):
attr = Attribute.objects.create(
name='birthdate', label='birthdate', kind='birthdate', asked_on_registration=True
)
attr.set_value(owner=admin, value='2000-01-01')
admin.refresh_from_db()
assert admin.attributes.birthdate is None
def test_date_buggy_type(db, admin):
attr = Attribute.objects.create(name='date', label='date', kind='date', asked_on_registration=True)
attr.set_value(owner=admin, value='2000-01-01')
admin.refresh_from_db()
assert admin.attributes.date is None
def test_profile_image(db, app, admin, mailoutbox):
Attribute.objects.create(
name='cityscape_image',