paulmataruso/zulip
1
0
Fork 0
mirror of https://github.com/zulip/zulip.git synced 2025-11-03 05:23:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

confirmation: Add confirmation_type to get_object_from_key.

Browse Source 
This change:

* Prevents weird potential attacks like taking a valid confirmation link
  (say an unsubscribe link), and putting it into the URL of a multiuse
  invite link. I don't know of any such attacks one could do right now, but
  reasoning about it is complicated.

* Makes the code easier to read, and in the case of confirmation/views.py,
  exposes something that needed refactoring anyway (USER_REGISTRATION and
  INVITATION should have different endpoints, and both of those endpoints
  should be in zerver/views/registration, not this file).
This commit is contained in:
Rishi Gupta
2017-11-01 13:07:39 -07:00
committed by Tim Abbott
parent 608a594256
commit fdbe36644e
5 changed files with 25 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
zerver/views/registration.py
View File

@@ -385,7 +385,7 @@ def accounts_home_from_multiuse_invite(request, confirmation_key):
# type: (HttpRequest, str) -> HttpResponse
multiuse_object = None
try:
multiuse_object = get_object_from_key(confirmation_key)
multiuse_object = get_object_from_key(confirmation_key, Confirmation.MULTIUSE_INVITE)
# Required for oAuth2
request.session["multiuse_object_key"] = confirmation_key
except ConfirmationKeyException as exception: