mirror of
https://github.com/janeczku/calibre-web
synced 2024-12-26 01:50:31 +00:00
Better input check for custom_columns
This commit is contained in:
parent
bd3ccfd0a9
commit
c0b561cb5a
28
cps/admin.py
28
cps/admin.py
@ -473,6 +473,21 @@ def update_table_settings():
|
|||||||
return "Invalid request", 400
|
return "Invalid request", 400
|
||||||
return ""
|
return ""
|
||||||
|
|
||||||
|
def check_valid_read_column(column):
|
||||||
|
if column is not "0":
|
||||||
|
if not calibre_db.session.query(db.Custom_Columns).filter(db.Custom_Columns.id == column) \
|
||||||
|
.filter(and_(db.Custom_Columns.datatype == 'bool', db.Custom_Columns.mark_for_delete == 0)).all():
|
||||||
|
return False
|
||||||
|
return True
|
||||||
|
|
||||||
|
def check_valid_restricted_column(column):
|
||||||
|
if column is not "0":
|
||||||
|
if not calibre_db.session.query(db.Custom_Columns).filter(db.Custom_Columns.id == column) \
|
||||||
|
.filter(and_(db.Custom_Columns.datatype == 'text', db.Custom_Columns.mark_for_delete == 0)).all():
|
||||||
|
return False
|
||||||
|
return True
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@admi.route("/admin/viewconfig", methods=["POST"])
|
@admi.route("/admin/viewconfig", methods=["POST"])
|
||||||
@login_required
|
@login_required
|
||||||
@ -488,12 +503,23 @@ def update_view_configuration():
|
|||||||
if _config_string("config_title_regex"):
|
if _config_string("config_title_regex"):
|
||||||
calibre_db.update_title_sort(config)
|
calibre_db.update_title_sort(config)
|
||||||
|
|
||||||
|
if not check_valid_read_column(to_save.get("config_read_column", "0")):
|
||||||
|
flash(_(u"Invalid Read Column"), category="error")
|
||||||
|
log.debug("Invalid Read column")
|
||||||
|
return view_configuration()
|
||||||
_config_int("config_read_column")
|
_config_int("config_read_column")
|
||||||
|
|
||||||
|
if not check_valid_restricted_column(to_save.get("config_restricted_column", "0")):
|
||||||
|
flash(_(u"Invalid Restricted Column"), category="error")
|
||||||
|
log.debug("Invalid Restricted Column")
|
||||||
|
return view_configuration()
|
||||||
|
_config_int("config_restricted_column")
|
||||||
|
|
||||||
_config_int("config_theme")
|
_config_int("config_theme")
|
||||||
_config_int("config_random_books")
|
_config_int("config_random_books")
|
||||||
_config_int("config_books_per_page")
|
_config_int("config_books_per_page")
|
||||||
_config_int("config_authors_max")
|
_config_int("config_authors_max")
|
||||||
_config_int("config_restricted_column")
|
|
||||||
|
|
||||||
config.config_default_role = constants.selected_roles(to_save)
|
config.config_default_role = constants.selected_roles(to_save)
|
||||||
config.config_default_role &= ~constants.ROLE_ANONYMOUS
|
config.config_default_role &= ~constants.ROLE_ANONYMOUS
|
||||||
|
Loading…
Reference in New Issue
Block a user