Mirrored_Repos/InvenTree
1
0
Fork 0
mirror of https://github.com/inventree/InvenTree synced 2024-08-30 18:33:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'inventree/master'

Browse Source
This commit is contained in:
Oliver Walters 2022-06-18 19:49:54 +10:00
commit 1481003f04
4 changed files with 53 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
InvenTree/InvenTree/settings.py
View File

@ -391,9 +391,16 @@ REST_FRAMEWORK = {
'InvenTree.permissions.RolePermission', 'InvenTree.permissions.RolePermission',
), ),
'DEFAULT_SCHEMA_CLASS': 'rest_framework.schemas.coreapi.AutoSchema', 'DEFAULT_SCHEMA_CLASS': 'rest_framework.schemas.coreapi.AutoSchema',
'DEFAULT_METADATA_CLASS': 'InvenTree.metadata.InvenTreeMetadata' 'DEFAULT_METADATA_CLASS': 'InvenTree.metadata.InvenTreeMetadata',
'DEFAULT_RENDERER_CLASSES': [
'rest_framework.renderers.JSONRenderer',
]
} }
if DEBUG:
# Enable browsable API if in DEBUG mode
REST_FRAMEWORK['DEFAULT_RENDERER_CLASSES'].append('rest_framework.renderers.BrowsableAPIRenderer')
WSGI_APPLICATION = 'InvenTree.wsgi.application' WSGI_APPLICATION = 'InvenTree.wsgi.application'
""" """

31
InvenTree/part/test_api.py
View File

@ -148,6 +148,37 @@ class PartCategoryAPITest(InvenTreeAPITestCase):
# There should not be any templates left at this point # There should not be any templates left at this point
self.assertEqual(PartCategoryParameterTemplate.objects.count(), 0) self.assertEqual(PartCategoryParameterTemplate.objects.count(), 0)
def test_bleach(self):
"""Test that the data cleaning functionality is working"""
url = reverse('api-part-category-detail', kwargs={'pk': 1})
self.patch(
url,
{
'description': '<img src=# onerror=alert("pwned")>',
},
expected_code=200
)
cat = PartCategory.objects.get(pk=1)
# Image tags have been stripped
self.assertEqual(cat.description, '&lt;img src=# onerror=alert("pwned")&gt;')
self.patch(
url,
{
'description': '<a href="www.google.com">LINK</a><script>alert("h4x0r")</script>',
},
expected_code=200,
)
# Tags must have been bleached out
cat.refresh_from_db()
self.assertEqual(cat.description, '<a href="www.google.com">LINK</a>&lt;script&gt;alert("h4x0r")&lt;/script&gt;')
class PartOptionsAPITest(InvenTreeAPITestCase): class PartOptionsAPITest(InvenTreeAPITestCase):
"""Tests for the various OPTIONS endpoints in the /part/ API. """Tests for the various OPTIONS endpoints in the /part/ API.

12
InvenTree/templates/InvenTree/settings/user.html
View File

@ -154,7 +154,9 @@
</form> </form>
{% else %} {% else %}
<p>{% trans 'You currently have no social network accounts connected to this account.' %}</p> <div class='alert alert-block alert-warning'>
{% trans 'There are no social network accounts connected to this account.' %}
</div>
{% endif %} {% endif %}
</div> </div>
@ -198,9 +200,9 @@
</table> </table>
{% else %} {% else %}
<p><strong>{% trans 'Warning:'%}</strong> <div class='alert alert-block alert-warning'>
{% trans "You currently do not have any factors set up." %} {% trans "Multifactor authentication is not configured for your account" %}
</p> </div>
{% endif %} {% endif %}
</div> </div>
@ -224,7 +226,7 @@
<form method="post" action="{% url 'session_delete_other' %}"> <form method="post" action="{% url 'session_delete_other' %}">
{% csrf_token %} {% csrf_token %}
<button type="submit" class="btn btn-sm btn-default btn-danger" title='{% trans "Log out active sessions (except this one)" %}'> <button type="submit" class="btn btn-sm btn-default btn-danger" title='{% trans "Log out active sessions (except this one)" %}'>
{% trans "Log Out Active Sessions" %} <span class='fas fa-sign-out-alt'></span> {% trans "Log Out Active Sessions" %}
</button> </button>
</form> </form>
{% endif %} {% endif %}

11
InvenTree/templates/InvenTree/settings/user_display.html
View File

@ -34,7 +34,7 @@
{% csrf_token %} {% csrf_token %}
<input name='next' type='hidden' value='{% url "settings" %}'> <input name='next' type='hidden' value='{% url "settings" %}'>
<label for='theme' class=' requiredField'> <label for='theme' class=' requiredField'>
{% trans "Select theme" %} <h6>{% trans "Select theme" %}</h6>
</label> </label>
<div class='form-group input-group mb-3'> <div class='form-group input-group mb-3'>
<select id='theme' name='theme' class='select form-control'> <select id='theme' name='theme' class='select form-control'>
@ -62,7 +62,7 @@
{% csrf_token %} {% csrf_token %}
<input name="next" type="hidden" value="{% url 'settings' %}"> <input name="next" type="hidden" value="{% url 'settings' %}">
<label for='language' class=' requiredField'> <label for='language' class=' requiredField'>
{% trans "Select language" %} <h6>{% trans "Select language" %}</h6>
</label> </label>
<div class='form-group input-group mb-3'> <div class='form-group input-group mb-3'>
<select name="language" class="select form-control w-25"> <select name="language" class="select form-control w-25">
@ -100,8 +100,11 @@
</form> </form>
</div> </div>
<div class="col-sm-6"> <div class="col-sm-6">
<h4>{% trans "Help the translation efforts!" %}</h4> <div class='alert alert-block alert-success'>
<p>{% blocktrans with link="https://crowdin.com/project/inventree" %}Native language translation of the web application is <a href="{{link}}">community contributed via crowdin</a>. Contributions are welcomed and encouraged.{% endblocktrans %}</p> <h5>{% trans "Help the translation efforts!" %}</h5>
<p>{% trans "Native language translation of the web application is community contributed via crowdin. Contributions are welcomed and encouraged." %}</p>
<p><a href="https://crowdin.com/project/inventree">{% trans "InvenTree Translation Project" %}</a></p>
</div>
</div> </div>
</div> </div>