Wrap views receiving passwords in in sensitive_post_parameters (#1795)

rafalp · Aug 17, 2024 · bb21b2f · bb21b2f
1 parent a7faeb4
commit bb21b2f
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 3 deletions.
diff --git a/misago/account/views/settings.py b/misago/account/views/settings.py
@@ -3,14 +3,14 @@
 from django.conf import settings
 from django.contrib import messages
 from django.contrib.auth import get_user_model, logout
-from django.core.exceptions import PermissionDenied
 from django.forms import Form, ValidationError
 from django.http import Http404, HttpRequest, HttpResponse
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
 from django.utils.decorators import method_decorator
 from django.utils.translation import gettext as _, pgettext, pgettext_lazy
 from django.views import View
+from django.views.decorators.debug import sensitive_post_parameters
 
 from ...auth.decorators import login_required
 from ...core.mail import build_mail
@@ -248,6 +248,7 @@ class AccountPasswordView(AccountSettingsFormView):
         "account settings password changed", "Password changed"
     )
 
+    @method_decorator(sensitive_post_parameters())
     def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
         if request.settings.enable_oauth2_client:
             raise Http404()
@@ -293,6 +294,7 @@ class AccountEmailView(AccountSettingsFormView):
         "account settings email confirm", "Confirmation email sent"
     )
 
+    @method_decorator(sensitive_post_parameters("current_password"))
     def dispatch(self, request: HttpRequest, *args: Any, **kwargs: Any) -> HttpResponse:
         if request.settings.enable_oauth2_client:
             raise Http404()

diff --git a/misago/account/views/validate.py b/misago/account/views/validate.py
@@ -5,6 +5,7 @@
 from django.core.exceptions import BadRequest, ValidationError
 from django.http import HttpRequest, JsonResponse
 from django.utils.translation import pgettext
+from django.views.decorators.debug import sensitive_post_parameters
 
 from ...users.validators import validate_email, validate_username
 
@@ -76,6 +77,7 @@ def email(request: HttpRequest) -> JsonResponse:
     validate_email(value, user)
 
 
+@sensitive_post_parameters()
 @validation_view
 def password(request: HttpRequest) -> JsonResponse:
     user = get_user_from_data(request)

diff --git a/misago/auth/views.py b/misago/auth/views.py
@@ -3,7 +3,7 @@
 from django.http import Http404, HttpRequest, HttpResponse
 from django.shortcuts import redirect, render
 from django.urls import reverse
-from django.utils.translation import pgettext
+from django.utils.decorators import method_decorator
 from django.views import View
 from django.views.decorators.cache import never_cache
 from django.views.decorators.debug import sensitive_post_parameters
@@ -18,6 +18,8 @@ class LoginView(View):
     template_name: str = "misago/auth/login_page.html"
     form_type = AuthenticationForm
 
+    @method_decorator(sensitive_post_parameters())
+    @method_decorator(never_cache)
     def dispatch(self, request: HttpRequest, **kwargs) -> HttpResponse:
         if self.is_view_disabled():
             raise Http404()
@@ -83,7 +85,7 @@ def is_view_disabled(self) -> bool:
         return is_misago_login_page_disabled()
 
 
-login = sensitive_post_parameters()(never_cache(LoginView.as_view()))
+login = LoginView.as_view()
 
 
 def delegated_login(request: HttpRequest, *, message: str | None = None):

diff --git a/misago/users/admin/views/users.py b/misago/users/admin/views/users.py
@@ -1,7 +1,9 @@
 from django.contrib import messages
 from django.contrib.auth import get_user_model, update_session_auth_hash
 from django.shortcuts import redirect
+from django.utils.decorators import method_decorator
 from django.utils.translation import pgettext, pgettext_lazy
+from django.views.decorators.debug import sensitive_post_parameters
 
 from ....acl.useracl import get_user_acl
 from ....admin.auth import authorize_admin
@@ -288,6 +290,10 @@ class NewUser(UserAdmin, generic.ModelFormView):
         "admin users", 'New user "%(user)s" has been registered.'
     )
 
+    @method_decorator(sensitive_post_parameters("new_password"))
+    def dispatch(self, request, *args, **kwargs):
+        return super().dispatch(request, *args, **kwargs)
+
     def get_form(self, form_class, request, target):
         if request.method == "POST":
             return form_class(
@@ -322,6 +328,10 @@ class EditUser(UserAdmin, generic.ModelFormView):
     template_name = "edit.html"
     message_submit = pgettext_lazy("admin users", 'User "%(user)s" has been edited.')
 
+    @method_decorator(sensitive_post_parameters("new_password"))
+    def dispatch(self, request, *args, **kwargs):
+        return super().dispatch(request, *args, **kwargs)
+
     def real_dispatch(self, request, target):
         target.old_username = target.username
         target.old_is_avatar_locked = target.is_avatar_locked