From 88ac8061a2f6d45af97b6292ecca2b7d43ff5415 Mon Sep 17 00:00:00 2001
From: Robin Sonnabend <robin@fsmpi.rwth-aachen.de>
Date: Mon, 22 Feb 2021 21:01:54 +0100
Subject: [PATCH] Make protocol metadata a link if it's an URL pointing to a
whitelisted domain
This only affects the website, the PDF version isn't changed. By default
the whitelist is empty.
For issue #236
---
configproxy.py | 11 ++++++++---
models/database.py | 13 +++++++++++++
templates/protocol-show.html | 4 ++--
3 files changed, 23 insertions(+), 5 deletions(-)
diff --git a/configproxy.py b/configproxy.py
index 73f7a0b..7d5ce97 100755
--- a/configproxy.py
+++ b/configproxy.py
@@ -158,13 +158,13 @@ def check_security(SECRET_KEY, SECURITY_KEY, SESSION_PROTECTION, SESSION_COOKIE_
"Insufficient length of SECURITY_KEY, should be at "
"least {}!".format(
MIN_KEY_LENGTH))
- check_choice("SESSION_PROTECTION", SESSION_PROTECTION, ["strong"])
+ check_choice("SESSION_PROTECTION", SESSION_PROTECTION, ["strong", "none"])
check_choice("SESSION_COOKIE_SECURE", SESSION_COOKIE_SECURE, [True, False])
check_choice("SESSION_COOKIE_HTTPONLY", SESSION_COOKIE_HTTPONLY, [True, False])
check_choice("SESSION_COOKIE_SAMESITE", SESSION_COOKIE_SAMESITE, ["Lax", "Strict"])
-def check_server_name(SERVER_NAME, PREFERRED_URL_SCHEME, CDN_URL):
+def check_server_name(SERVER_NAME, PREFERRED_URL_SCHEME, CDN_URL, PERMITTED_METADATA_DOMAINS):
# todo: check ip address and server name
check_choice(
"PREFERRED_URL_SCHEME", PREFERRED_URL_SCHEME,
@@ -491,7 +491,12 @@ CONFIG_SECTIONS = [
name="CDN_URL",
default=None,
required=False, internal=False,
- description="URL to get bootstrap and jQuery from.")
+ description="URL to get bootstrap and jQuery from."),
+ ConfigEntry(
+ name="PERMITTED_METADATA_DOMAINS",
+ default=[],
+ required=False, internal=False,
+ description="Domains allowed to be linked to in protocol metadata (e.g. location)."),
],
check=check_server_name,
description="Where is the website hosted"),
diff --git a/models/database.py b/models/database.py
index 3a5a2cb..49e256a 100644
--- a/models/database.py
+++ b/models/database.py
@@ -4,6 +4,7 @@ from datetime import datetime
from io import BytesIO
from enum import Enum
from uuid import uuid4
+from urllib.parse import urlparse
from shared import (
db, date_filter_short, escape_tex, DATE_KEY, START_TIME_KEY, END_TIME_KEY,
@@ -901,6 +902,18 @@ class Meta(DatabaseModel):
def get_parent(self):
return self.protocol
+ def is_url(self):
+ print(self.value)
+ url = urlparse(self.value)
+ if not url.scheme == "https":
+ print(self.value, 1)
+ return False
+ if not url.netloc or url.netloc not in config.PERMITTED_METADATA_DOMAINS:
+ print(self.value, 2)
+ return False
+ print(self.value, 3)
+ return True
+
class Like(DatabaseModel):
__tablename__ = "likes"
diff --git a/templates/protocol-show.html b/templates/protocol-show.html
index b5546fe..3ee2817 100644
--- a/templates/protocol-show.html
+++ b/templates/protocol-show.html
@@ -79,7 +79,7 @@
{% if has_public_view_right %}
{% for meta in protocol.metas %}
{% if not meta.internal or has_private_view_right %}
- <p><strong>{{meta.name}}:</strong> {{meta.value}}</p>
+ <p><strong>{{meta.name}}:</strong> {% if meta.is_url() %}<a href="{{meta.value}}">{{meta.value}}</a>{% else %}{{meta.value}}{% endif %}</p>
{% endif %}
{% endfor %}
{% endif %}
@@ -88,7 +88,7 @@
<p><strong>Geplant:</strong> {{protocol.date|datify_long}}, {{protocol.get_time()|timify}}</p>
{% endif %}
{% for meta in protocol.metas %}
- <p><strong>{{meta.name}}:</strong> {{meta.value}}</p>
+ <p><strong>{{meta.name}}:</strong> {% if meta.is_url() %}<a href="{{meta.value}}">{{meta.value}}</a>{% else %}{{meta.value}}{% endif %}</p>
{% endfor %}
{% endif %}
--
GitLab