Mercurial > public > sg101

changeset 1022:82f1f6f905eb

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Perform image_check on private messages.
author Brian Neal <bgneal@gmail.com>
date Wed, 09 Dec 2015 21:16:04 -0600
parents 68c3343f3318
children a5ebc74dc3f3
files messages/forms.py messages/models.py messages/tests/test_forms.py
diffstat 3 files changed, 41 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/messages/forms.py	Tue Dec 08 21:39:19 2015 -0600
+++ b/messages/forms.py	Wed Dec 09 21:16:04 2015 -0600
@@ -10,6 +10,9 @@
 from django.template.loader import render_to_string
 
 from core.functions import send_mail
+from core.html import ImageCheckError
+from core.html import image_check
+from core.markup import site_markup
 from core.widgets import AutoCompleteUserInput
 import messages
 from messages.models import Flag, Message, Options
@@ -48,9 +51,20 @@
         return receiver
 
     def clean_message(self):
-        msg = self.cleaned_data['message']
+        msg = self.cleaned_data['message'].strip()
         if len(msg) > MESSAGE_MAX:
             raise forms.ValidationError("Your message is too long. Please trim some text.")
+
+        self.html = None
+        if not msg:
+            raise forms.ValidationError("Please enter a message.")
+
+        self.html = site_markup(msg)
+        try:
+            image_check(self.html)
+        except ImageCheckError as ex:
+            raise forms.ValidationError(str(ex))
+
         return msg
 
     def clean(self):
@@ -89,7 +103,7 @@
             message=message,
             signature_attached=attach_signature,
         )
-        new_msg.save()
+        new_msg.save(html=self.html)
 
         # Update the parent message (if there is one)
         parent_id = self.cleaned_data['parent_id']
--- a/messages/models.py	Tue Dec 08 21:39:19 2015 -0600
+++ b/messages/models.py	Wed Dec 09 21:16:04 2015 -0600
@@ -64,7 +64,10 @@
     def save(self, *args, **kwargs):
         if not self.id:
             self.send_date = datetime.datetime.now()
-        self.html = site_markup(self.message)
+
+        self.html = kwargs.pop('html', None)
+        if not self.html and self.message:
+            self.html = site_markup(self.message)
         super(Message, self).save(*args, **kwargs)
 
     def __unicode__(self):
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/messages/tests/test_forms.py	Wed Dec 09 21:16:04 2015 -0600
@@ -0,0 +1,21 @@
+"""Unit tests for the messages application forms."""
+
+from django.contrib.auth.models import User
+from django.test import TestCase
+
+from messages.forms import ComposeForm
+
+
+class ComposeFormTestCase(TestCase):
+    fixtures = ['messages_test_users.json']
+
+    def test_unsafe_image(self):
+        data = {
+            'receiver': 'pj',
+            'subject': 'Test subject',
+            'message': 'Hi ![image](http:example.com/a.jpg)',
+        }
+        user = User.objects.get(username='eddie')
+        f = ComposeForm(user, data)
+        self.assertFalse(f.is_valid())
+