Commit e97539b6 by Őry Máté

dashboard: move tx-confirm token to path parameter

parent 7e6025d5
...@@ -57,7 +57,7 @@ urlpatterns = patterns( ...@@ -57,7 +57,7 @@ urlpatterns = patterns(
url(r'^node/list/$', NodeList.as_view(), name='dashboard.views.node-list'), url(r'^node/list/$', NodeList.as_view(), name='dashboard.views.node-list'),
url(r'^node/(?P<pk>\d+)/$', NodeDetailView.as_view(), url(r'^node/(?P<pk>\d+)/$', NodeDetailView.as_view(),
name='dashboard.views.node-detail'), name='dashboard.views.node-detail'),
url(r'^tx/$', TransferOwnershipConfirmView.as_view(), url(r'^tx/(?P<key>.*)/?$', TransferOwnershipConfirmView.as_view(),
name='dashboard.views.vm-transfer-ownership-confirm'), name='dashboard.views.vm-transfer-ownership-confirm'),
url(r'^node/delete/(?P<pk>\d+)/$', NodeDelete.as_view(), url(r'^node/delete/(?P<pk>\d+)/$', NodeDelete.as_view(),
name="dashboard.views.delete-node"), name="dashboard.views.delete-node"),
......
...@@ -1507,23 +1507,22 @@ class TransferOwnershipView(LoginRequiredMixin, DetailView): ...@@ -1507,23 +1507,22 @@ class TransferOwnershipView(LoginRequiredMixin, DetailView):
class TransferOwnershipConfirmView(LoginRequiredMixin, View): class TransferOwnershipConfirmView(LoginRequiredMixin, View):
"""User can accept an ownership offer."""
max_age = 3 * 24 * 3600 max_age = 3 * 24 * 3600
success_message = _("Ownership successfully transferred.") success_message = _("Ownership successfully transferred to you.")
@classmethod @classmethod
def get_salt(cls): def get_salt(cls):
return unicode(cls) return unicode(cls)
def get(self, request, *args, **kwargs): def get(self, request, key, *args, **kwargs):
"""Confirm ownership transfer based on token. """Confirm ownership transfer based on token.
""" """
logger.debug('Confirm dialog for token %s.', key)
try: try:
key = request.GET['key']
logger.debug('Confirm dialog for token %s.', key)
instance, new_owner = self.get_instance(key, request.user) instance, new_owner = self.get_instance(key, request.user)
except KeyError: except PermissionDenied:
raise Http404()
except PermissionDenied():
messages.error(request, _('This token is for an other user.')) messages.error(request, _('This token is for an other user.'))
raise raise
except SuspiciousOperation: except SuspiciousOperation:
...@@ -1533,16 +1532,10 @@ class TransferOwnershipConfirmView(LoginRequiredMixin, View): ...@@ -1533,16 +1532,10 @@ class TransferOwnershipConfirmView(LoginRequiredMixin, View):
"dashboard/confirm/base-transfer-ownership.html", "dashboard/confirm/base-transfer-ownership.html",
dictionary={'instance': instance, 'key': key}) dictionary={'instance': instance, 'key': key})
def post(self, request, *args, **kwargs): def post(self, request, key, *args, **kwargs):
"""Really transfer ownership based on token. """Really transfer ownership based on token.
""" """
try: instance, owner = self.get_instance(key, request.user)
key = request.POST['key']
instance, owner = self.get_instance(key, request.user)
except KeyError:
logger.debug('Posted to %s without key field.',
unicode(self.__class__))
raise SuspiciousOperation()
old = instance.owner old = instance.owner
with instance_activity(code_suffix='ownership-transferred', with instance_activity(code_suffix='ownership-transferred',
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment