Skip to content

Commit

Permalink
Add @sensitive_post_parameters
Browse files Browse the repository at this point in the history
  • Loading branch information
@jacobtylerwalls
jacobtylerwalls committed Nov 25, 2024
1 parent f198214 commit 171cdff
Show file tree
Hide file tree
Showing 2 changed files with 9 additions and 2 deletions.
3 changes: 2 additions & 1 deletion arches/app/views/api/auth.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
from django.contrib.auth import authenticate, login, logout
from django.utils.decorators import method_decorator
from django.utils.translation import gettext as _
from django.views.decorators.debug import sensitive_variables
from django.views.decorators.debug import sensitive_variables, sensitive_post_parameters
from django_ratelimit.decorators import ratelimit

from arches.app.models.system_settings import settings
Expand All @@ -19,6 +19,7 @@ class Login(LoginView, APIBase):
http_method_names = ["post"]

@sensitive_variables()
@sensitive_post_parameters()
@method_decorator(
ratelimit(key="post:username", rate=settings.RATE_LIMIT, block=False)
)
Expand Down
8 changes: 7 additions & 1 deletion arches/app/views/auth.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@
from django.utils.decorators import method_decorator
from django.views.decorators.cache import never_cache
from django.views.decorators.csrf import csrf_exempt
from django.views.decorators.debug import sensitive_variables
from django.views.decorators.debug import sensitive_post_parameters, sensitive_variables
from django.utils.html import strip_tags
from django.utils.translation import gettext as _
from django.utils.http import urlencode
Expand Down Expand Up @@ -88,6 +88,7 @@ def get(self, request):
)

@sensitive_variables()
@sensitive_post_parameters()
@method_decorator(
ratelimit(
key="post:username",
Expand Down Expand Up @@ -371,6 +372,7 @@ def get(self, request):
return JSONResponse(messages)

@sensitive_variables()
@sensitive_post_parameters()
@method_decorator(ratelimit(key="user", rate=settings.RATE_LIMIT, block=False))
def post(self, request):
messages = {
Expand Down Expand Up @@ -428,6 +430,7 @@ class PasswordResetConfirmView(auth_views.PasswordResetConfirmView):
@method_decorator(csrf_exempt, name="dispatch")
class UserProfileView(View):
@sensitive_variables()
@sensitive_post_parameters()
@method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT))
def post(self, request):
username = request.POST.get("username", None)
Expand All @@ -450,6 +453,7 @@ def post(self, request):
@method_decorator(csrf_exempt, name="dispatch")
class GetClientIdView(View):
@sensitive_variables()
@sensitive_post_parameters()
@method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT))
def post(self, request):
if settings.OAUTH_CLIENT_ID == "":
Expand All @@ -470,6 +474,7 @@ def post(self, request):
@method_decorator(csrf_exempt, name="dispatch")
class ServerSettingView(View):
@sensitive_variables()
@sensitive_post_parameters()
@method_decorator(ratelimit(key="post:username", rate=settings.RATE_LIMIT))
def post(self, request):
if settings.OAUTH_CLIENT_ID == "":
Expand Down Expand Up @@ -579,6 +584,7 @@ def post(self, request):
@method_decorator(never_cache, name="dispatch")
class TwoFactorAuthenticationLoginView(View):
@sensitive_variables()
@sensitive_post_parameters()
def post(self, request):
username = request.POST.get("username", None)
password = request.POST.get("password", None)
Expand Down

0 comments on commit 171cdff

Please sign in to comment.