Make protocol metadata a link if it's an URL pointing to a whitelisted domain

This only affects the website, the PDF version isn't changed. By default the whitelist is empty. For issue #236

Make protocol metadata a link if it's an URL pointing to a whitelisted domain
88ac8061 · Robin Sonnabend · b8148fb8 · 88ac8061 · 88ac8061 · 88ac8061
Commit 88ac8061 authored Feb 22, 2021 by Robin Sonnabend
--- a/configproxy.py
+++ b/configproxy.py
@@ -158,13 +158,13 @@ def check_security(SECRET_KEY, SECURITY_KEY, SESSION_PROTECTION, SESSION_COOKIE_
            "Insufficient length of SECURITY_KEY, should be at "
            "least {}!".format(
                MIN_KEY_LENGTH))
-    check_choice("SESSION_PROTECTION", SESSION_PROTECTION, ["strong"])
+    check_choice("SESSION_PROTECTION", SESSION_PROTECTION, ["strong", "none"])
    check_choice("SESSION_COOKIE_SECURE", SESSION_COOKIE_SECURE, [True, False])
    check_choice("SESSION_COOKIE_HTTPONLY", SESSION_COOKIE_HTTPONLY, [True, False])
    check_choice("SESSION_COOKIE_SAMESITE", SESSION_COOKIE_SAMESITE, ["Lax", "Strict"])
-def check_server_name(SERVER_NAME, PREFERRED_URL_SCHEME, CDN_URL):
+def check_server_name(SERVER_NAME, PREFERRED_URL_SCHEME, CDN_URL, PERMITTED_METADATA_DOMAINS):
    # todo: check ip address and server name
    check_choice(
        "PREFERRED_URL_SCHEME", PREFERRED_URL_SCHEME,
@@ -491,7 +491,12 @@ CONFIG_SECTIONS = [
                name="CDN_URL",
                default=None,
                required=False, internal=False,
-                description="URL to get bootstrap and jQuery from.")
+                description="URL to get bootstrap and jQuery from."),
+            ConfigEntry(
+                name="PERMITTED_METADATA_DOMAINS",
+                default=[],
+                required=False, internal=False,
+                description="Domains allowed to be linked to in protocol metadata (e.g. location)."),
        ],
        check=check_server_name,
        description="Where is the website hosted"),

--- a/models/database.py
+++ b/models/database.py
@@ -4,6 +4,7 @@ from datetime import datetime
 from io import BytesIO
 from enum import Enum
 from uuid import uuid4
+from urllib.parse import urlparse
 from shared import (
    db, date_filter_short, escape_tex, DATE_KEY, START_TIME_KEY, END_TIME_KEY,
@@ -901,6 +902,18 @@ class Meta(DatabaseModel):
    def get_parent(self):
        return self.protocol
+    def is_url(self):
+        print(self.value)
+        url = urlparse(self.value)
+        if not url.scheme == "https":
+            print(self.value, 1)
+            return False
+        if not url.netloc or url.netloc not in config.PERMITTED_METADATA_DOMAINS:
+            print(self.value, 2)
+            return False
+        print(self.value, 3)
+        return True
 class Like(DatabaseModel):
    __tablename__ = "likes"

--- a/templates/protocol-show.html
+++ b/templates/protocol-show.html
@@ -79,7 +79,7 @@
                {% if has_public_view_right %}
                    {% for meta in protocol.metas %}
                        {% if not meta.internal or has_private_view_right %}
-                            <p><strong>{{meta.name}}:</strong> {{meta.value}}</p>
+                            <p><strong>{{meta.name}}:</strong> {% if meta.is_url() %}<a href="{{meta.value}}">{{meta.value}}</a>{% else %}{{meta.value}}{% endif %}</p>
                        {% endif %}
                    {% endfor %}
                {% endif %}
@@ -88,7 +88,7 @@
                    <p><strong>Geplant:</strong> {{protocol.date|datify_long}}, {{protocol.get_time()|timify}}</p>
                {% endif %}
                {% for meta in protocol.metas %}
-                    <p><strong>{{meta.name}}:</strong> {{meta.value}}</p>
+                    <p><strong>{{meta.name}}:</strong> {% if meta.is_url() %}<a href="{{meta.value}}">{{meta.value}}</a>{% else %}{{meta.value}}{% endif %}</p>
                {% endfor %}
            {% endif %}