arona/PyRIGS
1
0
Fork 0
mirror of https://github.com/nottinghamtec/PyRIGS.git synced 2026-01-18 14:02:15 +00:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: arona:assets_misc
Branches Tags
arona:master arona:dependabot/uv/urllib3-2.6.3 arona:django5 arona:dependabot/npm_and_yarn/eazy-logger-4.1.0 arona:dependabot/npm_and_yarn/multi-c22e25d29b arona:revert-594-jb3/features/power-test-export arona:dependabot/pip/zipp-3.19.1 arona:PSSC-Values arona:subgrid arona:estates-compliance arona:checkin arona:combine-prs-branch1 arona:subhire arona:combine-prs-branch arona:data-ingest arona:imgbot arona:optimisation arona:bs4 arona:bugfix-datetime-field-testing arona:update-stack arona:assets_audit arona:assets_cabletypes arona:python_deps_2020 arona:misc arona:search arona:requires-io-master arona:open arona:assets-testing arona:feature/invoiceHistory arona:assets_embed arona:hotfix-disable-password-reset arona:assets_misc arona:auth_fixes arona:assets_reversion arona:asset_fixes arona:assets arona:heroku-upgrade arona:risk-assessment arona:embed_improvements arona:django2 arona:travis-fix arona:hotfix/ical arona:feature/builds arona:feature/invoice-query arona:feature/discourse-auth-app arona:hotfix/su-branding arona:feature/discourse-auth arona:hotfix/formatting arona:feature/ember arona:feature/subhire arona:web-calendar arona:telegram arona:forms arona:assets_legacy arona:training_legacy
..
compare: arona:hotfix-disable-password-reset
Branches Tags
arona:dependabot/uv/urllib3-2.6.3 arona:django5 arona:master arona:dependabot/npm_and_yarn/eazy-logger-4.1.0 arona:dependabot/npm_and_yarn/multi-c22e25d29b arona:revert-594-jb3/features/power-test-export arona:dependabot/pip/zipp-3.19.1 arona:PSSC-Values arona:subgrid arona:estates-compliance arona:checkin arona:combine-prs-branch1 arona:subhire arona:combine-prs-branch arona:data-ingest arona:imgbot arona:optimisation arona:bs4 arona:bugfix-datetime-field-testing arona:update-stack arona:assets_audit arona:assets_cabletypes arona:python_deps_2020 arona:misc arona:search arona:requires-io-master arona:open arona:assets-testing arona:feature/invoiceHistory arona:assets_embed arona:hotfix-disable-password-reset arona:assets_misc arona:auth_fixes arona:assets_reversion arona:asset_fixes arona:assets arona:heroku-upgrade arona:risk-assessment arona:embed_improvements arona:django2 arona:travis-fix arona:hotfix/ical arona:feature/builds arona:feature/invoice-query arona:feature/discourse-auth-app arona:hotfix/su-branding arona:feature/discourse-auth arona:hotfix/formatting arona:feature/ember arona:feature/subhire arona:web-calendar arona:telegram arona:forms arona:assets_legacy arona:training_legacy

6 Commits
assets_mis ... hotfix-dis

Author SHA1 Message Date
Matthew Smith
1e00b23479 fix pep8 2020-01-17 12:38:02 +00:00
Matthew Smith
b5e61adde5 Disabled password reset and left message notifying user of problem. In response to CVE-2019-19844 2020-01-17 12:29:24 +00:00
FreneticScribbler
4ad12ab40a FIX: Prevent basic users seeing individual asset version history 
I prevented them from seeing the change stream, didn't prevent them seeing individual histories. This has to be done as otherwise it leaks financial information. If I can be arsed I'll come back to this and allow basic users to see a filtered version.
 2020-01-11 21:13:50 +00:00
FreneticScribbler
13205770f1 FIX: Correct template for AssetVersionHistory 2020-01-11 21:13:50 +00:00
Arona Jones
6bb0c88c72 FIX: Migrations 2020-01-03 22:21:50 +00:00
Arona Jones
82a30ca77d Miscellaneous changes to the Asset DB (#390) 
* FIX #388: Prevent assets losing supplier data on edit

* FEAT: Add associated assets to supplier detail view

* FIX: Tweak supplier list to make detail view accessible

* Potential fix for #380

No idea if it works because I can't reproduce locally. S/O Reckons it should... :P

* FEAT #386: Asset search searches serial number.

Pending addition of advanced search.

* FIX: Order asset categories/statuses alphabetically

Instead of by pk because that's silly.

* FEAT: Statuses can have a CSS class defined in the admin panel

This replaces the hardcoding of colours in the asset list.

* FIX: Squash migrations

* Fixed supplier not working on all the create asset template

* Refactored away "assets" property on "Supplier" by using "related_name" instead

Co-authored-by: Matthew Smith <mattysmith22@googlemail.com>
 2020-01-03 21:46:39 +00:00
13 changed files with 32 additions and 90 deletions
Expand all files Collapse all files

9
RIGS/templates/RIGS/password_reset_disable.html Normal file
View File

@@ -0,0 +1,9 @@
{% extends 'base_rigs.html' %}
{% block title %}Password Reset Disabled{% endblock %}
{% block content %}
<h1>Password reset is disabled</h1>
<p> We are very sorry for the inconvenience, but due to a security vulnerability, password reset is currently disabled until the vulnerability can be patched.</p>
<p> If you are locked out of your account, please contact an administrator and we can manually perform a reset</p>
{% endblock %}

2
RIGS/urls.py
View File

@@ -19,7 +19,7 @@ urlpatterns = [
url('^user/login/$', views.login, name='login'), url('^user/login/$', views.login, name='login'),
url('^user/login/embed/$', xframe_options_exempt(views.login_embed), name='login_embed'), url('^user/login/embed/$', xframe_options_exempt(views.login_embed), name='login_embed'),
url(r'^user/password_reset/$', password_reset, {'password_reset_form': forms.PasswordReset}), url(r'^user/password_reset/$', views.PasswordResetDisabled.as_view()),
# People # People
url(r'^people/$', permission_required_with_403('RIGS.view_person')(views.PersonList.as_view()), url(r'^people/$', permission_required_with_403('RIGS.view_person')(views.PersonList.as_view()),

4
RIGS/views.py
View File

@@ -392,3 +392,7 @@ class ResetApiKey(generic.RedirectView):
self.request.user.save() self.request.user.save()
return reverse_lazy('profile_detail') return reverse_lazy('profile_detail')
class PasswordResetDisabled(generic.TemplateView):
template_name = "RIGS/password_reset_disable.html"

21
assets/migrations/0009_auto_20200102_1933.py
View File

@@ -1,21 +0,0 @@
# Generated by Django 2.0.13 on 2020-01-02 19:33
from django.db import migrations
class Migration(migrations.Migration):
dependencies = [
('assets', '0008_auto_20191206_2124'),
]
operations = [
migrations.AlterModelOptions(
name='assetcategory',
options={'ordering': ['name'], 'verbose_name': 'Asset Category', 'verbose_name_plural': 'Asset Categories'},
),
migrations.AlterModelOptions(
name='assetstatus',
options={'ordering': ['name'], 'verbose_name': 'Asset Status', 'verbose_name_plural': 'Asset Statuses'},
),
]

12
assets/migrations/0009_auto_20200102_1933_squashed_0011_auto_20200102_2040.py → assets/migrations/0009_auto_20200103_2215.py
View File

@@ -1,12 +1,11 @@
# Generated by Django 2.0.13 on 2020-01-02 20:42 # Generated by Django 2.0.13 on 2020-01-03 22:15
from django.db import migrations, models from django.db import migrations, models
import django.db.models.deletion
class Migration(migrations.Migration): class Migration(migrations.Migration):
replaces = [('assets', '0009_auto_20200102_1933'), ('assets', '0010_assetstatus_display_class'), ('assets', '0011_auto_20200102_2040')]
dependencies = [ dependencies = [
('assets', '0008_auto_20191206_2124'), ('assets', '0008_auto_20191206_2124'),
] ]
@@ -23,6 +22,11 @@ class Migration(migrations.Migration):
migrations.AddField( migrations.AddField(
model_name='assetstatus', model_name='assetstatus',
name='display_class', name='display_class',
field=models.CharField(help_text='HTML class to be appended to alter display of assets with this status, such as in the list.', max_length=80), field=models.CharField(blank=True, help_text='HTML class to be appended to alter display of assets with this status, such as in the list.', max_length=80, null=True),
),
migrations.AlterField(
model_name='asset',
name='purchased_from',
field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='assets', to='assets.Supplier'),
), ),
] ]

18
assets/migrations/0010_assetstatus_display_class.py
View File

@@ -1,18 +0,0 @@
# Generated by Django 2.0.13 on 2020-01-02 19:35
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('assets', '0009_auto_20200102_1933'),
]
operations = [
migrations.AddField(
model_name='assetstatus',
name='display_class',
field=models.TextField(default='', help_text='HTML class to be appended to alter display of assets with this status, such as in the list.'),
),
]

19
assets/migrations/0010_auto_20200103_2134.py
View File

@@ -1,19 +0,0 @@
# Generated by Django 2.0.13 on 2020-01-03 21:34
from django.db import migrations, models
import django.db.models.deletion
class Migration(migrations.Migration):
dependencies = [
('assets', '0009_auto_20200102_1933_squashed_0011_auto_20200102_2040'),
]
operations = [
migrations.AlterField(
model_name='asset',
name='purchased_from',
field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, related_name='assets', to='assets.Supplier'),
),
]

18
assets/migrations/0011_auto_20200102_2040.py
View File

@@ -1,18 +0,0 @@
# Generated by Django 2.0.13 on 2020-01-02 20:40
from django.db import migrations, models
class Migration(migrations.Migration):
dependencies = [
('assets', '0010_assetstatus_display_class'),
]
operations = [
migrations.AlterField(
model_name='assetstatus',
name='display_class',
field=models.CharField(help_text='HTML class to be appended to alter display of assets with this status, such as in the list.', max_length=80),
),
]

2
assets/models.py
View File

@@ -33,7 +33,7 @@ class AssetStatus(models.Model):
name = models.CharField(max_length=80) name = models.CharField(max_length=80)
should_show = models.BooleanField( should_show = models.BooleanField(
default=True, help_text="Should this be shown by default in the asset list.") default=True, help_text="Should this be shown by default in the asset list.")
display_class = models.CharField(max_length=80, help_text="HTML class to be appended to alter display of assets with this status, such as in the list.") display_class = models.CharField(max_length=80, blank=True, null=True, help_text="HTML class to be appended to alter display of assets with this status, such as in the list.")
def __str__(self): def __str__(self):
return self.name return self.name

2
assets/templates/asset_update.html
View File

@@ -44,7 +44,7 @@
</div> </div>
</form> </form>
{% if not edit %} {% if not edit and perms.assets.view_asset %}
<div class="col-sm-12 text-right"> <div class="col-sm-12 text-right">
<div> <div>
<a href="{% url 'asset_history' object.asset_id %}" title="View Revision History"> <a href="{% url 'asset_history' object.asset_id %}" title="View Revision History">

2
assets/urls.py
View File

@@ -15,7 +15,7 @@ urlpatterns = [
(views.AssetEdit.as_view()), name='asset_update'), (views.AssetEdit.as_view()), name='asset_update'),
path('asset/id/<str:pk>/duplicate/', permission_required_with_403('assets.add_asset') path('asset/id/<str:pk>/duplicate/', permission_required_with_403('assets.add_asset')
(views.AssetDuplicate.as_view()), name='asset_duplicate'), (views.AssetDuplicate.as_view()), name='asset_duplicate'),
path('asset/id/<str:pk>/history/', views.AssetVersionHistory.as_view(), path('asset/id/<str:pk>/history/', permission_required_with_403('assets.view_asset')(views.AssetVersionHistory.as_view()),
name='asset_history', kwargs={'model': models.Asset}), name='asset_history', kwargs={'model': models.Asset}),
path('activity', permission_required_with_403('assets.view_asset') path('activity', permission_required_with_403('assets.view_asset')
(views.ActivityTable.as_view()), name='asset_activity_table'), (views.ActivityTable.as_view()), name='asset_activity_table'),

3
assets/views.py
View File

@@ -213,8 +213,9 @@ class SupplierVersionHistory(versioning.VersionHistory):
template_name = "asset_version_history.html" template_name = "asset_version_history.html"
# TODO: Reduce SQL queries
class AssetVersionHistory(versioning.VersionHistory): class AssetVersionHistory(versioning.VersionHistory):
template_name = "asset_version_history.html"
def get_object(self, **kwargs): def get_object(self, **kwargs):
return get_object_or_404(models.Asset, asset_id=self.kwargs['pk']) return get_object_or_404(models.Asset, asset_id=self.kwargs['pk'])

10
templates/base_assets.html
View File

@@ -10,7 +10,7 @@
{% endblock %} {% endblock %}
{% block titleelements %} {% block titleelements %}
{% if perms.assets.view_asset %} {# % if perms.assets.view_asset % #}
<li class="dropdown"> <li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown">Assets<b class="caret"></b></a> <a href="#" class="dropdown-toggle" data-toggle="dropdown">Assets<b class="caret"></b></a>
<ul class="dropdown-menu"> <ul class="dropdown-menu">
@@ -20,19 +20,19 @@
{% endif %} {% endif %}
</ul> </ul>
</li> </li>
{% endif %} {# % endif % #}
{% if perms.assets.view_supplier %} {# % if perms.assets.view_supplier % #}
<li class="dropdown"> <li class="dropdown">
<a href="#" class="dropdown-toggle" data-toggle="dropdown"> Suppliers<b class="caret"></b></a> <a href="#" class="dropdown-toggle" data-toggle="dropdown"> Suppliers<b class="caret"></b></a>
<ul class="dropdown-menu"> <ul class="dropdown-menu">
<li><a href="{% url 'supplier_list' %}"><span class="glyphicon glyphicon-list"></span> <li><a href="{% url 'supplier_list' %}"><span class="glyphicon glyphicon-list"></span>
List Suppliers</a></li> List Suppliers</a></li>
{% if perms.assets.add_asset %} {% if perms.assets.add_supplier %}
<li><a href="{% url 'supplier_create' %}"><span class="glyphicon glyphicon-plus"></span> Create Supplier</a></li> <li><a href="{% url 'supplier_create' %}"><span class="glyphicon glyphicon-plus"></span> Create Supplier</a></li>
{% endif %} {% endif %}
</ul> </ul>
</li> </li>
{% endif %} {# % endif % #}
{% if perms.assets.view_asset %} {% if perms.assets.view_asset %}
<li><a href="{% url 'asset_activity_table' %}">Recent Changes</a></li> <li><a href="{% url 'asset_activity_table' %}">Recent Changes</a></li>
{% endif %} {% endif %}