[tor-bugs] #10754 [Tor Support]: Implement an invitation based token system into webchat

Tor Bug Tracker & Wiki blackhole at torproject.org
Tue Apr 15 18:16:37 UTC 2014


#10754: Implement an invitation based token system into webchat
-----------------------------+--------------------------
     Reporter:  Sherief      |      Owner:  Sherief
         Type:  task         |     Status:  needs_review
     Priority:  blocker      |  Milestone:
    Component:  Tor Support  |    Version:
   Resolution:               |   Keywords:  SponsorO
Actual Points:               |  Parent ID:  #10755
       Points:               |
-----------------------------+--------------------------

Comment (by Sherief):

 Replying to [comment:28 lunar]:
 > Replying to [comment:27 Sherief]:
 > > Replying to [comment:26 lunar]:
 > > > Is it really needed to have a `pups_project` sub-directory? Probably
 related question: shouldn't be the `stats` and `webchat` modules be sub-
 modules of the `pups` module?
 > > No. I can just name the repo pups_project and remove the extra folder.
 >
 > Why not simply `pups`?

 That's doable but I will also change "pups" the app that handles accounts
 to "accounts".

 > > > This should really be turned into its own method for readability:
 > > > {{{
 > > > token.get_assistant_tokens(User.objects.get(id =
 request.user.id)).filter(expires_at__gt=F('created_at')),
 > > > }}}
 > >
 > > I just added the `.filter(expires_at__gt=F('created_at'))` part to
 > > `models.Token.get_assistant_tokens(assistant)`
 >
 > Then I believe the function name should be changed too.
 >
 > > > Unless I'm mistaken `webchat/templates/tokens.html` directly contain
 the value of `token.comment`. It should be escaped to be displayed in an
 HTML context, otherwise that's a security issue.
 > >
 > > I tried to add html tags, sql code but non worked since Django's ORM
 checks things before adding data into the db automatically and
 render(request, template, context)'s context handles what you mean.
 >
 > What if an attacker manage to add data to the DB without going through
 Django's validation process?

 That's not even possible because:
 1) token_page() is decorated with `@login_required`
 2) you cannot access create_token() because it's not mentioned in urls.py
 like `token_page()` and `login()`.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/10754#comment:29>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list