backoffice: check back value of lookup form (#88247)
gitea/wcs/pipeline/head This commit looks good
Details
gitea/wcs/pipeline/head This commit looks good
Details
This commit is contained in:
parent
75030a2bd7
commit
2399c72d27
|
@ -3889,6 +3889,13 @@ def test_formdata_lookup(pub):
|
|||
resp = resp.follow()
|
||||
assert 'No such tracking code or identifier.' in resp.text
|
||||
|
||||
# check it's not possible to replace back value with anything else
|
||||
for invalid_value in ('http://example.invalid/', 'xxx'):
|
||||
resp = app.get('/backoffice/management/listing')
|
||||
resp.forms[0]['back'] = invalid_value
|
||||
resp = resp.forms[0].submit()
|
||||
assert resp.location == 'http://example.net/backoffice/management/'
|
||||
|
||||
|
||||
def test_backoffice_sidebar_user_context(pub):
|
||||
user = create_user(pub)
|
||||
|
|
|
@ -298,7 +298,10 @@ class ManagementDirectory(Directory):
|
|||
get_session().message = None
|
||||
return redirect(formdata.get_url(backoffice=True))
|
||||
|
||||
return redirect(get_request().form.get('back') or '.')
|
||||
back_place = get_request().form.get('back')
|
||||
if back_place not in ('listing', 'forms'):
|
||||
back_place = '.' # auto
|
||||
return redirect(back_place)
|
||||
|
||||
def get_lookup_sidebox(self, back_place=''):
|
||||
r = TemplateIO(html=True)
|
||||
|
|
Loading…
Reference in New Issue