Python/Django Class based saving












-1












$begingroup$


I'm creating multiple Django apps with vote possibilities, so I made an app vote to handle all this votes. In my templates I'm including an ajax-function named vote. To know on which model I'm liking I add app_name and model_name to the vote function (I made some templatetags to get these values). In my views.py I use model = apps.get_model(app_name, model_name) to get the model class. But now I'm worried a hacker could do something with the app_name and model_name values.



vote/ajax.html (only function):



function vote(bool){
$.ajax({
type: "post",
timeout: 8000,
url: '{% url 'ajax:vote' %}',
dataType: 'json',
data: {
'csrfmiddlewaretoken': getCookie('csrftoken'),
'model_name': "{{ model|get_model_name }}",
'app_name': "{{ model|get_app_name }}",
'voted': bool,
'id': "{{ model.id }}",
},
success: function(data) {
if (!data.error){
if (bool){
$(".half .fa-thumbs-up").removeClass("far").addClass("fas");
$(".half #count").text(parseInt($(".half #count").text()) + 1);
} else {
$(".half .fa-thumbs-down").removeClass("far").addClass("fas");
$(".half #count").text(parseInt($(".half #count").text()) - 1);
}
}
}
});
}


ajax/views.py:



def vote(request):
try:
app_name = request.POST.get("app_name")
model_name = request.POST.get("model_name")
id = request.POST.get("id")
votedFor = True if request.POST.get("voted") == "true" else False
except ValueError:
return JsonResponse({"error": True})



model = apps.get_model(app_name, model_name)

if model is None or id is None:
return JsonResponse({"error": True})

try:
usable_model = model.objects.get(id=id)
except model.DoesNotExist:
return JsonResponse({"error": True})

try:
usable_model.vote._meta.get_field("votes")
except FieldDoesNotExist:
return JsonResponse({"error": True})


usable_model.vote.vote(request, votedFor)
return JsonResponse({"error": False})


vote/functions:



    def vote(self, request, votedFor):
if request.user.is_authenticated:
if not UserVoted.objects.filter(User=request.user, Vote=self).exists():
UserVoted.objects.create(User=request.user, Vote=self, votedFor=votedFor)
self._like_or_dislike(votedFor)
return True
return False
ip = get_client_ip(request)
if ip:
if not UserVoted.objects.filter(ip=ip, Vote=self).exists():
UserVoted.objects.create(ip=ip, Vote=self, votedFor=votedFor)
self._like_or_dislike(votedFor)
return True
return False
return False

def _like_or_dislike(self, votedFor):
if votedFor is not None:
Vote.objects.filter(id=self.id).update(votes=F('votes') + 1) if votedFor else Vote.objects.filter(id=self.id).update(votes=F('votes') - 1)
return True
return False


I already manipulated app_name and model_name and the server didn't crash but I don't know what a hacker can do. Can he crash my server when he manipulate these values? (maybe "ajax-injection" or something like this?)










share|improve this question











$endgroup$








  • 5




    $begingroup$
    Your indentation is off. This being Python, indentation is very important. Remove your code, paste it in file-by-file and with every bit you paste in, select it, hit Ctrl + K. The question editor should do the rest.
    $endgroup$
    – Mast
    7 hours ago
















-1












$begingroup$


I'm creating multiple Django apps with vote possibilities, so I made an app vote to handle all this votes. In my templates I'm including an ajax-function named vote. To know on which model I'm liking I add app_name and model_name to the vote function (I made some templatetags to get these values). In my views.py I use model = apps.get_model(app_name, model_name) to get the model class. But now I'm worried a hacker could do something with the app_name and model_name values.



vote/ajax.html (only function):



function vote(bool){
$.ajax({
type: "post",
timeout: 8000,
url: '{% url 'ajax:vote' %}',
dataType: 'json',
data: {
'csrfmiddlewaretoken': getCookie('csrftoken'),
'model_name': "{{ model|get_model_name }}",
'app_name': "{{ model|get_app_name }}",
'voted': bool,
'id': "{{ model.id }}",
},
success: function(data) {
if (!data.error){
if (bool){
$(".half .fa-thumbs-up").removeClass("far").addClass("fas");
$(".half #count").text(parseInt($(".half #count").text()) + 1);
} else {
$(".half .fa-thumbs-down").removeClass("far").addClass("fas");
$(".half #count").text(parseInt($(".half #count").text()) - 1);
}
}
}
});
}


ajax/views.py:



def vote(request):
try:
app_name = request.POST.get("app_name")
model_name = request.POST.get("model_name")
id = request.POST.get("id")
votedFor = True if request.POST.get("voted") == "true" else False
except ValueError:
return JsonResponse({"error": True})



model = apps.get_model(app_name, model_name)

if model is None or id is None:
return JsonResponse({"error": True})

try:
usable_model = model.objects.get(id=id)
except model.DoesNotExist:
return JsonResponse({"error": True})

try:
usable_model.vote._meta.get_field("votes")
except FieldDoesNotExist:
return JsonResponse({"error": True})


usable_model.vote.vote(request, votedFor)
return JsonResponse({"error": False})


vote/functions:



    def vote(self, request, votedFor):
if request.user.is_authenticated:
if not UserVoted.objects.filter(User=request.user, Vote=self).exists():
UserVoted.objects.create(User=request.user, Vote=self, votedFor=votedFor)
self._like_or_dislike(votedFor)
return True
return False
ip = get_client_ip(request)
if ip:
if not UserVoted.objects.filter(ip=ip, Vote=self).exists():
UserVoted.objects.create(ip=ip, Vote=self, votedFor=votedFor)
self._like_or_dislike(votedFor)
return True
return False
return False

def _like_or_dislike(self, votedFor):
if votedFor is not None:
Vote.objects.filter(id=self.id).update(votes=F('votes') + 1) if votedFor else Vote.objects.filter(id=self.id).update(votes=F('votes') - 1)
return True
return False


I already manipulated app_name and model_name and the server didn't crash but I don't know what a hacker can do. Can he crash my server when he manipulate these values? (maybe "ajax-injection" or something like this?)










share|improve this question











$endgroup$








  • 5




    $begingroup$
    Your indentation is off. This being Python, indentation is very important. Remove your code, paste it in file-by-file and with every bit you paste in, select it, hit Ctrl + K. The question editor should do the rest.
    $endgroup$
    – Mast
    7 hours ago














-1












-1








-1





$begingroup$


I'm creating multiple Django apps with vote possibilities, so I made an app vote to handle all this votes. In my templates I'm including an ajax-function named vote. To know on which model I'm liking I add app_name and model_name to the vote function (I made some templatetags to get these values). In my views.py I use model = apps.get_model(app_name, model_name) to get the model class. But now I'm worried a hacker could do something with the app_name and model_name values.



vote/ajax.html (only function):



function vote(bool){
$.ajax({
type: "post",
timeout: 8000,
url: '{% url 'ajax:vote' %}',
dataType: 'json',
data: {
'csrfmiddlewaretoken': getCookie('csrftoken'),
'model_name': "{{ model|get_model_name }}",
'app_name': "{{ model|get_app_name }}",
'voted': bool,
'id': "{{ model.id }}",
},
success: function(data) {
if (!data.error){
if (bool){
$(".half .fa-thumbs-up").removeClass("far").addClass("fas");
$(".half #count").text(parseInt($(".half #count").text()) + 1);
} else {
$(".half .fa-thumbs-down").removeClass("far").addClass("fas");
$(".half #count").text(parseInt($(".half #count").text()) - 1);
}
}
}
});
}


ajax/views.py:



def vote(request):
try:
app_name = request.POST.get("app_name")
model_name = request.POST.get("model_name")
id = request.POST.get("id")
votedFor = True if request.POST.get("voted") == "true" else False
except ValueError:
return JsonResponse({"error": True})



model = apps.get_model(app_name, model_name)

if model is None or id is None:
return JsonResponse({"error": True})

try:
usable_model = model.objects.get(id=id)
except model.DoesNotExist:
return JsonResponse({"error": True})

try:
usable_model.vote._meta.get_field("votes")
except FieldDoesNotExist:
return JsonResponse({"error": True})


usable_model.vote.vote(request, votedFor)
return JsonResponse({"error": False})


vote/functions:



    def vote(self, request, votedFor):
if request.user.is_authenticated:
if not UserVoted.objects.filter(User=request.user, Vote=self).exists():
UserVoted.objects.create(User=request.user, Vote=self, votedFor=votedFor)
self._like_or_dislike(votedFor)
return True
return False
ip = get_client_ip(request)
if ip:
if not UserVoted.objects.filter(ip=ip, Vote=self).exists():
UserVoted.objects.create(ip=ip, Vote=self, votedFor=votedFor)
self._like_or_dislike(votedFor)
return True
return False
return False

def _like_or_dislike(self, votedFor):
if votedFor is not None:
Vote.objects.filter(id=self.id).update(votes=F('votes') + 1) if votedFor else Vote.objects.filter(id=self.id).update(votes=F('votes') - 1)
return True
return False


I already manipulated app_name and model_name and the server didn't crash but I don't know what a hacker can do. Can he crash my server when he manipulate these values? (maybe "ajax-injection" or something like this?)










share|improve this question











$endgroup$




I'm creating multiple Django apps with vote possibilities, so I made an app vote to handle all this votes. In my templates I'm including an ajax-function named vote. To know on which model I'm liking I add app_name and model_name to the vote function (I made some templatetags to get these values). In my views.py I use model = apps.get_model(app_name, model_name) to get the model class. But now I'm worried a hacker could do something with the app_name and model_name values.



vote/ajax.html (only function):



function vote(bool){
$.ajax({
type: "post",
timeout: 8000,
url: '{% url 'ajax:vote' %}',
dataType: 'json',
data: {
'csrfmiddlewaretoken': getCookie('csrftoken'),
'model_name': "{{ model|get_model_name }}",
'app_name': "{{ model|get_app_name }}",
'voted': bool,
'id': "{{ model.id }}",
},
success: function(data) {
if (!data.error){
if (bool){
$(".half .fa-thumbs-up").removeClass("far").addClass("fas");
$(".half #count").text(parseInt($(".half #count").text()) + 1);
} else {
$(".half .fa-thumbs-down").removeClass("far").addClass("fas");
$(".half #count").text(parseInt($(".half #count").text()) - 1);
}
}
}
});
}


ajax/views.py:



def vote(request):
try:
app_name = request.POST.get("app_name")
model_name = request.POST.get("model_name")
id = request.POST.get("id")
votedFor = True if request.POST.get("voted") == "true" else False
except ValueError:
return JsonResponse({"error": True})



model = apps.get_model(app_name, model_name)

if model is None or id is None:
return JsonResponse({"error": True})

try:
usable_model = model.objects.get(id=id)
except model.DoesNotExist:
return JsonResponse({"error": True})

try:
usable_model.vote._meta.get_field("votes")
except FieldDoesNotExist:
return JsonResponse({"error": True})


usable_model.vote.vote(request, votedFor)
return JsonResponse({"error": False})


vote/functions:



    def vote(self, request, votedFor):
if request.user.is_authenticated:
if not UserVoted.objects.filter(User=request.user, Vote=self).exists():
UserVoted.objects.create(User=request.user, Vote=self, votedFor=votedFor)
self._like_or_dislike(votedFor)
return True
return False
ip = get_client_ip(request)
if ip:
if not UserVoted.objects.filter(ip=ip, Vote=self).exists():
UserVoted.objects.create(ip=ip, Vote=self, votedFor=votedFor)
self._like_or_dislike(votedFor)
return True
return False
return False

def _like_or_dislike(self, votedFor):
if votedFor is not None:
Vote.objects.filter(id=self.id).update(votes=F('votes') + 1) if votedFor else Vote.objects.filter(id=self.id).update(votes=F('votes') - 1)
return True
return False


I already manipulated app_name and model_name and the server didn't crash but I don't know what a hacker can do. Can he crash my server when he manipulate these values? (maybe "ajax-injection" or something like this?)







python javascript jquery security django






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited 7 mins ago









Jamal

30.3k11116226




30.3k11116226










asked 8 hours ago









Myzel394Myzel394

295




295








  • 5




    $begingroup$
    Your indentation is off. This being Python, indentation is very important. Remove your code, paste it in file-by-file and with every bit you paste in, select it, hit Ctrl + K. The question editor should do the rest.
    $endgroup$
    – Mast
    7 hours ago














  • 5




    $begingroup$
    Your indentation is off. This being Python, indentation is very important. Remove your code, paste it in file-by-file and with every bit you paste in, select it, hit Ctrl + K. The question editor should do the rest.
    $endgroup$
    – Mast
    7 hours ago








5




5




$begingroup$
Your indentation is off. This being Python, indentation is very important. Remove your code, paste it in file-by-file and with every bit you paste in, select it, hit Ctrl + K. The question editor should do the rest.
$endgroup$
– Mast
7 hours ago




$begingroup$
Your indentation is off. This being Python, indentation is very important. Remove your code, paste it in file-by-file and with every bit you paste in, select it, hit Ctrl + K. The question editor should do the rest.
$endgroup$
– Mast
7 hours ago










0






active

oldest

votes











Your Answer





StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["\$", "\$"]]);
});
});
}, "mathjax-editing");

StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "196"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f212021%2fpython-django-class-based-saving%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes
















draft saved

draft discarded




















































Thanks for contributing an answer to Code Review Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


Use MathJax to format equations. MathJax reference.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcodereview.stackexchange.com%2fquestions%2f212021%2fpython-django-class-based-saving%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Сан-Квентин

Алькесар

Josef Freinademetz