From 9ba3fdf23dda3edc327d4ac01a3cb0236ffca76a Mon Sep 17 00:00:00 2001 From: Oliver Date: Sat, 18 Jun 2022 16:42:50 +1000 Subject: [PATCH 1/3] Only enable browsable API if in debug mode (#3221) (cherry picked from commit 6556cbd163feba5e1aa1e19a9b8f89614349292b) --- InvenTree/InvenTree/settings.py | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/InvenTree/InvenTree/settings.py b/InvenTree/InvenTree/settings.py index 142f0e97ac..9487de5e6a 100644 --- a/InvenTree/InvenTree/settings.py +++ b/InvenTree/InvenTree/settings.py @@ -391,9 +391,16 @@ REST_FRAMEWORK = { 'InvenTree.permissions.RolePermission', ), 'DEFAULT_SCHEMA_CLASS': 'rest_framework.schemas.coreapi.AutoSchema', - 'DEFAULT_METADATA_CLASS': 'InvenTree.metadata.InvenTreeMetadata' + 'DEFAULT_METADATA_CLASS': 'InvenTree.metadata.InvenTreeMetadata', + 'DEFAULT_RENDERER_CLASSES': [ + 'rest_framework.renderers.JSONRenderer', + ] } +if DEBUG: + # Enable browsable API if in DEBUG mode + REST_FRAMEWORK['DEFAULT_RENDERER_CLASSES'].append('rest_framework.renderers.BrowsableAPIRenderer') + WSGI_APPLICATION = 'InvenTree.wsgi.application' """ From eeff6074e7633651883ac266bef93f123faed5a5 Mon Sep 17 00:00:00 2001 From: Oliver Date: Sat, 18 Jun 2022 17:08:47 +1000 Subject: [PATCH 2/3] Adds a simple unit test to ensure that bleach is running on API data (#3222) --- InvenTree/part/test_api.py | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/InvenTree/part/test_api.py b/InvenTree/part/test_api.py index 3d2c0d8a06..eb7364eca6 100644 --- a/InvenTree/part/test_api.py +++ b/InvenTree/part/test_api.py @@ -148,6 +148,37 @@ class PartCategoryAPITest(InvenTreeAPITestCase): # There should not be any templates left at this point self.assertEqual(PartCategoryParameterTemplate.objects.count(), 0) + def test_bleach(self): + """Test that the data cleaning functionality is working""" + + url = reverse('api-part-category-detail', kwargs={'pk': 1}) + + self.patch( + url, + { + 'description': '', + }, + expected_code=200 + ) + + cat = PartCategory.objects.get(pk=1) + + # Image tags have been stripped + self.assertEqual(cat.description, '<img src=# onerror=alert("pwned")>') + + self.patch( + url, + { + 'description': 'LINK', + }, + expected_code=200, + ) + + # Tags must have been bleached out + cat.refresh_from_db() + + self.assertEqual(cat.description, 'LINK<script>alert("h4x0r")</script>') + class PartOptionsAPITest(InvenTreeAPITestCase): """Tests for the various OPTIONS endpoints in the /part/ API. From eb255e84d868ff9bf17365e774c0b53552391814 Mon Sep 17 00:00:00 2001 From: Oliver Date: Sat, 18 Jun 2022 17:33:59 +1000 Subject: [PATCH 3/3] Small UI improvements to the settings interface (#3223) --- InvenTree/templates/InvenTree/settings/user.html | 12 +++++++----- .../templates/InvenTree/settings/user_display.html | 11 +++++++---- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/InvenTree/templates/InvenTree/settings/user.html b/InvenTree/templates/InvenTree/settings/user.html index b9feb555f5..948c84bcac 100644 --- a/InvenTree/templates/InvenTree/settings/user.html +++ b/InvenTree/templates/InvenTree/settings/user.html @@ -154,7 +154,9 @@ {% else %} -

{% trans 'You currently have no social network accounts connected to this account.' %}

+
+ {% trans 'There are no social network accounts connected to this account.' %} +
{% endif %} @@ -198,9 +200,9 @@ {% else %} -

{% trans 'Warning:'%} - {% trans "You currently do not have any factors set up." %} -

+
+ {% trans "Multifactor authentication is not configured for your account" %} +
{% endif %} @@ -224,7 +226,7 @@
{% csrf_token %}
{% endif %} diff --git a/InvenTree/templates/InvenTree/settings/user_display.html b/InvenTree/templates/InvenTree/settings/user_display.html index bab90aadf9..1e0b4a1ca3 100644 --- a/InvenTree/templates/InvenTree/settings/user_display.html +++ b/InvenTree/templates/InvenTree/settings/user_display.html @@ -34,7 +34,7 @@ {% csrf_token %}