don't use tokens as primary keys

2017-12-18 14:54:45 +01:00 · 2017-12-18 14:54:45 +01:00 · 64664fbc66
commit 64664fbc66
parent afb23e5865
5 changed files with 50 additions and 7 deletions
--- a/src/c3nav/control/views.py
+++ b/src/c3nav/control/views.py
@ -140,7 +140,7 @@ def grant_access(request):
@control_panel_view
 def grant_access_qr(request, token):
    with transaction.atomic():
-        token = AccessPermissionToken.objects.select_for_update().get(id=token, author=request.user)
+        token = AccessPermissionToken.objects.select_for_update().get(token=token, author=request.user)
        if token.redeemed:
            messages.success(request, _('Access successfully granted.'))
            token = None
@ -165,7 +165,7 @@ def grant_access_qr(request, token):
        token.bump()
        token.save()

-    url = reverse('site.access.redeem', kwargs={'token': str(token.id)})
+    url = reverse('site.access.redeem', kwargs={'token': str(token.token)})
    return render(request, 'control/access_qr.html', {
        'url': url,
        'url_qr': reverse('site.qr', kwargs={'path': url}),
--- a/src/c3nav/mapdata/migrations/0060_accesspermissiontoken_id.py
+++ b/src/c3nav/mapdata/migrations/0060_accesspermissiontoken_id.py
@ -0,0 +1,43 @@
+# -*- coding: utf-8 -*-
+# Generated by Django 1.11.7 on 2017-12-18 13:49
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+import django.db.models.deletion
+import uuid
+
+
+def remove_all_tokens(apps, schema_editor):
+    apps.get_model('mapdata', 'AccessPermissionToken').objects.all().delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('mapdata', '0059_multiple_accesspermissions'),
+    ]
+
+    operations = [
+        migrations.RunPython(remove_all_tokens, remove_all_tokens),
+        migrations.RemoveField(
+            model_name='accesspermission',
+            name='token',
+        ),
+        migrations.AddField(
+            model_name='accesspermissiontoken',
+            name='token',
+            field=models.UUIDField(default=uuid.uuid4, editable=False, unique=True),
+        ),
+        migrations.AlterField(
+            model_name='accesspermissiontoken',
+            name='id',
+            field=models.AutoField(primary_key=True, serialize=False),
+        ),
+        migrations.AddField(
+            model_name='accesspermission',
+            name='token',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.CASCADE,
+                                    related_name='accesspermissions', to='mapdata.AccessPermissionToken',
+                                    verbose_name='Access permission token'),
+        ),
+    ]
--- a/src/c3nav/mapdata/models/access.py
+++ b/src/c3nav/mapdata/models/access.py
@ -40,7 +40,7 @@ AccessPermissionTokenItem = namedtuple('AccessPermissionTokenItem', ('pk', 'expi


 class AccessPermissionToken(models.Model):
-    id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)
+    token = models.UUIDField(unique=True, default=uuid.uuid4, editable=False)
    author = models.ForeignKey(settings.AUTH_USER_MODEL, on_delete=models.PROTECT,
                               related_name='created_accesspermission_tokens',
                               verbose_name=_('author'))
--- a/src/c3nav/mapdata/models/geometry/space.py
+++ b/src/c3nav/mapdata/models/geometry/space.py
@ -9,7 +9,7 @@ from django.utils.text import format_lazy
 from django.utils.translation import ugettext_lazy as _
 from shapely.geometry import CAP_STYLE, JOIN_STYLE, mapping

-from c3nav.mapdata.fields import GeometryField, JSONField
+from c3nav.mapdata.fields import GeometryField, JSONField, I18nField
 from c3nav.mapdata.models.geometry.base import GeometryMixin
 from c3nav.mapdata.models.locations import SpecificLocation
 from c3nav.mapdata.utils.cache.changes import changed_geometries
--- a/src/c3nav/site/views.py
+++ b/src/c3nav/site/views.py
@ -144,7 +144,7 @@ def redeem_token_after_login(request):
        return

    try:
-        token = AccessPermissionToken.objects.get(id=token)
+        token = AccessPermissionToken.objects.get(token=token)
    except AccessPermissionToken.DoesNotExist:
        return

@ -244,7 +244,7 @@ def account_view(request):
 def access_redeem_view(request, token):
    with transaction.atomic():
        try:
-            token = AccessPermissionToken.objects.select_for_update().get(id=token, redeemed=False,
+            token = AccessPermissionToken.objects.select_for_update().get(token=token, redeemed=False,
                                                                          valid_until__gte=timezone.now())
        except AccessPermissionToken.DoesNotExist:
            messages.error(request, _('This token does not exist or was already redeemed.'))
@ -258,7 +258,7 @@ def access_redeem_view(request, token):

            if not request.user.is_authenticated:
                messages.info(request, _('You need to log in to unlock areas.'))
-                request.session['redeem_token_on_login'] = str(token.id)
+                request.session['redeem_token_on_login'] = str(token.token)
                return redirect('site.login')

            token.redeemed_by = request.user