Merge pull request #1285 from watchdogpolska/dev

v1.1.13 fixes: 2 master
watchdogpolska · Apr 28, 2023 · d679321 · d679321
2 parents d2b881e + d9d749e
commit d679321
Show file tree

Hide file tree

Showing 10 changed files with 84 additions and 56 deletions.
diff --git a/config/settings/common.py b/config/settings/common.py
@@ -412,3 +412,39 @@
 
 # The number of years after which cases will be listed to delete
 YEARS_TO_STORE_CASES = env.int("YEARS_TO_STORE_CASES", 6)
+
+BLEACH_ALLOWED_TAGS = {
+    "a",
+    "abbr",
+    "acronym",
+    "b",
+    "blockquote",
+    "code",
+    "em",
+    "h1",
+    "h2",
+    "h3",
+    "h4",
+    "h5",
+    "h6",
+    "strong",
+    "em",
+    "p",
+    "ul",
+    "ol",
+    "i",
+    "li",
+    "br",
+    "sub",
+    "sup",
+    "hr",
+    "pre",
+    "img",
+}
+
+BLEACH_ALLOWED_ATTRIBUTES = ALLOWED_ATTRIBUTES = {
+    "a": ["href", "title"],
+    "abbr": ["title"],
+    "acronym": ["title"],
+    "img": ["alt", "src", "title"],
+}
diff --git a/poradnia/__init__.py b/poradnia/__init__.py
@@ -1,4 +1,4 @@
-__version__ = "1.1.12"
+__version__ = "1.1.13"
 
 
 # Compatibility to eg. django-rest-framework

diff --git a/poradnia/cases/locale/pl/LC_MESSAGES/django.mo b/poradnia/cases/locale/pl/LC_MESSAGES/django.mo
diff --git a/poradnia/cases/locale/pl/LC_MESSAGES/django.po b/poradnia/cases/locale/pl/LC_MESSAGES/django.po
@@ -4,8 +4,8 @@ msgstr ""
 "Project-Id-Version: \n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2023-04-27 18:50+0200\n"
-"PO-Revision-Date: 2023-04-27 18:48+0124\n"
-"Last-Translator:   <[email protected]>\n"
+"PO-Revision-Date: 2023-04-28 13:31+0124\n"
+"Last-Translator: Pio Iwa <[email protected]>\n"
 "Language-Team: \n"
 "Language: pl\n"
 "MIME-Version: 1.0\n"
@@ -105,7 +105,8 @@ msgstr "Grupa uprawnień"
 msgid "Notify user"
 msgstr "Powiadom użytkownika"
 
-#: poradnia/cases/forms.py:101 poradnia/cases/templates/cases/case_close.html:9
+#: poradnia/cases/forms.py:101
+#: poradnia/cases/templates/cases/case_close.html:9
 #: poradnia/cases/templates/cases/case_detail.html:47
 msgid "Close"
 msgstr "Zamknij"
@@ -314,16 +315,12 @@ msgstr "Usuń"
 #, python-format
 msgid ""
 "\n"
-"                        Created by <a href=\"%(created_url)s\">"
-"%(created_user)s</a> on\n"
-"                        %(created_on)s for <a href=\"%(client_url)s\">"
-"%(client_user)s</a>"
+"                        Created by <a href=\"%(created_url)s\">%(created_user)s</a> on\n"
+"                        %(created_on)s for <a href=\"%(client_url)s\">%(client_user)s</a>"
 msgstr ""
 "\n"
-"                        Utworzona przez <a href=\"%(created_url)s\">"
-"%(created_user)s</a> o \n"
-"                        %(created_on)s dla <a href=\"%(client_url)s\">"
-"%(client_user)s</a>"
+"                        Utworzona przez <a href=\"%(created_url)s\">%(created_user)s</a> o \n"
+"                        %(created_on)s dla <a href=\"%(client_url)s\">%(client_user)s</a>"
 
 #: poradnia/cases/templates/cases/case_detail.html:85
 msgid "Workflow"
@@ -370,11 +367,11 @@ msgstr "Brak wpisów"
 #: poradnia/cases/templates/cases/case_detail.html:183
 #, python-format
 msgid ""
-"The letter can also be sent via <a href=\"mailto:%(email)s\">e-mail address</"
-"a>."
+"The letter can also be sent via <a href=\"mailto:%(email)s\">e-mail "
+"address</a>."
 msgstr ""
-"List może zostać przesłany także z wykorzystaniem <a href=\"mailto:%(email)s"
-"\">poczty elektronicznej</a>."
+"List może zostać przesłany także z wykorzystaniem <a "
+"href=\"mailto:%(email)s\">poczty elektronicznej</a>."
 
 #: poradnia/cases/templates/cases/case_filter.html:39
 msgid "No."
@@ -410,8 +407,8 @@ msgid "Cases have status changed by staff."
 msgstr ""
 "Zgłoszona przez Ciebie sprawa otrzymuje najpierw status \"wolna\". To "
 "znaczy, że nie wiadomo jeszcze, która z udzielających porad osób Ci pomoże. "
-"Kiedy już wyznaczona zostanie ta osoba, porada zmieni status na \"przypisana"
-"\". A gdy już Ci pomożemy \"zakończona\"."
+"Kiedy już wyznaczona zostanie ta osoba, porada zmieni status na "
+"\"przypisana\". A gdy już Ci pomożemy \"zakończona\"."
 
 #: poradnia/cases/templates/cases/case_filter.html:124
 msgid "There is no cases."
@@ -445,8 +442,8 @@ msgstr "Potwierdzenie usunięcia uprawnień"
 #: poradnia/cases/templates/cases/case_permission_remove_confirm.html:15
 #, python-format
 msgid ""
-"Are you sure you want to remove the permissions on the case \"%(case)s\" for "
-"user %(user)s?"
+"Are you sure you want to remove the permissions on the case \"%(case)s\" for"
+" user %(user)s?"
 msgstr ""
 "Czy jesteś pewien, że chcesz usunąć uprawnienia do sprawy \"%(case)s\" dlla "
 "użytkownika %(user)s?"
@@ -475,7 +472,7 @@ msgstr "Zaangażowani z zespołu"
 #: poradnia/cases/templates/cases/case_table.html:58
 msgid "Cases that do have letter with status done (case subject not in bold)."
 msgstr ""
-"Sprawy, które mają list ze statusem \"wykonany\" (temat sprawy nie jest "
+"Sprawy, które mają list ze statusem `wykonany` (temat sprawy nie jest "
 "pogrubiony)."
 
 #: poradnia/cases/templates/cases/case_table.html:62

diff --git a/poradnia/letters/templatetags/format_text.py b/poradnia/letters/templatetags/format_text.py
@@ -7,36 +7,8 @@
 
 register = template.Library()
 cleaner = Cleaner(
-    tags=[
-        "a",
-        "abbr",
-        "acronym",
-        "b",
-        "blockquote",
-        "code",
-        "em",
-        "i",
-        "li",
-        "ol",
-        "strong",
-        "ul",
-        "h1",
-        "h2",
-        "h3",
-        "h4",
-        "h5",
-        "h6",
-        "p",
-        "hr",
-        "pre",
-        "img",
-    ],
-    attributes={
-        "a": ["href", "title"],
-        "img": ["alt", "src", "title"],
-        "abbr": ["title"],
-        "acronym": ["title"],
-    },
+    tags=settings.BLEACH_ALLOWED_TAGS,
+    attributes=settings.BLEACH_ALLOWED_ATTRIBUTES,
 )
 
 

diff --git a/poradnia/letters/tests/test_views.py b/poradnia/letters/tests/test_views.py
@@ -4,6 +4,7 @@
 import zipfile
 from io import BytesIO
 
+import bleach
 from django.conf import settings
 from django.contrib.sites.models import Site
 from django.core import mail
@@ -580,9 +581,14 @@ def test_sample_request(self):
             "<html>\n<body>\n<p>Hello,</p>\n<p>This is an example email with "
             "<b>HTML</b> content.</p>\n<p>Regards,<br/>Sender</p>\n</body>\n</html>"
         )
-
+        html_eml_part_sanitized = bleach.clean(
+            html_eml_part,
+            tags=settings.BLEACH_ALLOWED_TAGS,
+            attributes=settings.BLEACH_ALLOWED_ATTRIBUTES,
+            strip=True,
+        )
         self.assertEqual(eml_content, self.get_eml_content().decode("utf-8"))
-        self.assertEqual(html_content, html_eml_part)
+        self.assertEqual(html_content, html_eml_part_sanitized)
         self.assertEqual(attachment_content, "my-content")
 
     def test_reopen_case_free(self):

diff --git a/poradnia/letters/views/cbv.py b/poradnia/letters/views/cbv.py
@@ -2,6 +2,7 @@
 import json
 import logging
 
+import bleach
 import django_filters
 from ajax_datatable import AjaxDatatableView
 from atom.ext.crispy_forms.views import FormSetMixin
@@ -315,7 +316,12 @@ def create_letter(self, request, actor, case, manifest):
         eml_file = letter.eml.open("rb")
         htm_content = get_html_from_eml_file(eml_file=eml_file)
         eml_file.close()
-        letter.html = htm_content
+        letter.html = bleach.clean(
+            htm_content,
+            tags=settings.BLEACH_ALLOWED_TAGS,
+            attributes=settings.BLEACH_ALLOWED_ATTRIBUTES,
+            strip=True,
+        )
         letter.save()
         logger.info(
             f"Letter {letter.id} created by {actor.email}"

diff --git a/poradnia/users/admin.py b/poradnia/users/admin.py
@@ -40,7 +40,11 @@ class UserAdmin(AdminImageMixin, AuthUserAdmin):
                     "notify_old_cases",
                 )
             },
-        )
+        ),
+        (
+            _("Avatar"),
+            {"fields": ("picture",)},
+        ),
     ]
     list_display = (
         "pk",

diff --git a/poradnia/users/models.py b/poradnia/users/models.py
@@ -1,3 +1,4 @@
+import logging
 import re
 
 from django.contrib.auth.models import AbstractUser, UserManager
@@ -20,6 +21,8 @@
 
 cup_co = "caseuserobjectpermission__content_object"
 
+logger = logging.getLogger(__name__)
+
 
 class UserQuerySet(QuerySet):
     def for_user(self, user):
@@ -222,6 +225,10 @@ def notify(self, actor, verb, **kwargs):
         context = kwargs
         context["email"] = from_email  # TODO: Drop this alias
         context["actor"] = actor
+        logger.info(
+            f"Sending notification email {template_key} "
+            f"from {email_name} to {self.email} with context: {context}"
+        )
         return self.send_template_email(template_key, context, email_name)
 
     def get_absolute_url(self):

diff --git a/poradnia/users/templates/users/user_form.html b/poradnia/users/templates/users/user_form.html
@@ -14,7 +14,7 @@
         <div class="col-lg-8 col-md-10 col-sm-12 col-xs-12 col-lg-offset-2 col-md-offset-1">
             <h1>{% block header %}{% trans 'User' %}: {{ user.get_nicename }}{% endblock %}</h1>
             {% block form %}
-            <form class="form-horizontal" method="post">
+            <form enctype="multipart/form-data" class="form-horizontal" method="post">
                 {% csrf_token %}
                 {% crispy form %}
             </form>