FIX: CSRF bug v souhlasu se zprac.os.udaju
This commit is contained in:
Jarmil
parent
a37d46a3d0
commit
44dbc39877
|
|
@ -53,34 +53,38 @@
|
||||||
<div class="medium-6 large-6 columns">Vyberte, za jakým účelem se chcete nalodit k Pirátům.</div>
|
<div class="medium-6 large-6 columns">Vyberte, za jakým účelem se chcete nalodit k Pirátům.</div>
|
||||||
<div class="medium-12 large-6 columns"><b>Chtěl bych: </b> <br/>{{form.kind.errors}}{{form.kind}}</div>
|
<div class="medium-12 large-6 columns"><b>Chtěl bych: </b> <br/>{{form.kind.errors}}{{form.kind}}</div>
|
||||||
<div class="medium-12 large-12 columns"> </div>
|
<div class="medium-12 large-12 columns"> </div>
|
||||||
<div class="medium-6 large-6 columns">Přihlášením do Nalodění byl dán souhlas se zpracováním
|
|
||||||
osobních údajů v rozsahu nezbytném pro poskytování
|
|
||||||
požadovaných funkcí a služeb. Detaily způsobu zpracování osobních údajů
|
|
||||||
jsou k dispozici <a href="https://www.pirati.cz/o-nas/ochrana-osobnich-udaju/" target="_blank">online</a>.
|
|
||||||
</div>
|
|
||||||
<div class="medium-12 large-6 columns">
|
|
||||||
<b>Datum souhlasu se zpracováním os. údajů: </b> <br/>
|
|
||||||
{{form.dc_stamp}}
|
|
||||||
{% if request.user.dc_stamp is not None %}
|
|
||||||
<a href="/ja-pirat/profil/?undoConsent" class="button">Odvolat souhlas se zpracováním osobních údajů</a>
|
|
||||||
{% endif %}
|
|
||||||
{% if request.user.dc_undo_stamp is not None %}
|
|
||||||
(souhlas odvolán {{request.user.dc_undo_stamp}})
|
|
||||||
{% endif %}
|
|
||||||
</div>
|
|
||||||
{%comment%}
|
{%comment%}
|
||||||
<div class="medium-6 large-6 columns">{{form.interestedIn.label}}<br/>{{form.interestedIn.errors}}{{form.interestedIn}}</div>
|
<div class="medium-6 large-6 columns">{{form.interestedIn.label}}<br/>{{form.interestedIn.errors}}{{form.interestedIn}}</div>
|
||||||
{%endcomment%}
|
{%endcomment%}
|
||||||
<div class="medium-12 large-12 columns">
|
<div class="medium-12 large-12 columns">
|
||||||
|
<input type="submit" class="button button-primary" value="Uložit provedené změny"/>
|
||||||
|
</div>
|
||||||
|
</form>
|
||||||
|
|
||||||
|
<h2>Souhlas se zpracováním osobních údajů</h2>
|
||||||
|
<form method="post" action="/ja-pirat/souhlas/">
|
||||||
|
{%csrf_token%}
|
||||||
|
<div class="medium-12 large-12 columns">Přihlášením do Nalodění byl dán souhlas se zpracováním
|
||||||
|
osobních údajů v rozsahu nezbytném pro poskytování
|
||||||
|
požadovaných funkcí a služeb. Detaily způsobu zpracování osobních údajů
|
||||||
|
jsou k dispozici <a href="https://www.pirati.cz/o-nas/ochrana-osobnich-udaju/" target="_blank">online</a>.
|
||||||
|
</div>
|
||||||
|
<div class="medium-12 large-12 columns"> </div>
|
||||||
|
<div class="medium-6 large-6 columns">Datum souhlasu se zpracováním os. údajů: </div>
|
||||||
|
<div class="medium-12 large-6 columns">
|
||||||
|
{{form.dc_stamp}}
|
||||||
|
{% if request.user.dc_undo_stamp is not None %}
|
||||||
|
(souhlas odvolán {{request.user.dc_undo_stamp}})
|
||||||
|
{% endif %}
|
||||||
|
</div>
|
||||||
|
<div class="medium-12 large-12 columns">
|
||||||
{% if request.user.dc_stamp is None %}
|
{% if request.user.dc_stamp is None %}
|
||||||
<input type="submit" class="button" value="Uložit provedené změny" disabled="disabled"/>
|
<button name="action" value="yes" class="button">Souhlasím se zpracováním osobních údajů</button>
|
||||||
<a href="/ja-pirat/profil/?doConsent" class="button">Souhlasím se zpracováním osobních údajů</a>
|
|
||||||
{% else %}
|
{% else %}
|
||||||
<input type="submit" class="button button-primary" value="Uložit provedené změny"/>
|
<button name="action" value="no" class="button">Odvolat souhlas se zpracováním osobních údajů</button>
|
||||||
{% endif %}
|
{% endif %}
|
||||||
</div>
|
</div>
|
||||||
</form>
|
</form>
|
||||||
<br/>
|
|
||||||
|
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
|
||||||
|
|
@ -29,6 +29,7 @@ urlpatterns = [
|
||||||
url(r'^nastaveni-newsletteru/$', views.dotaznik_follow, name="dotaznik_follow"),
|
url(r'^nastaveni-newsletteru/$', views.dotaznik_follow, name="dotaznik_follow"),
|
||||||
|
|
||||||
url(r'^ja-pirat/email-vizitka/$', views.email_vizitka, name="email_vizitka"),
|
url(r'^ja-pirat/email-vizitka/$', views.email_vizitka, name="email_vizitka"),
|
||||||
|
url(r'^ja-pirat/souhlas/$', views.souhlas, name="souhlas"),
|
||||||
|
|
||||||
url(r'^person/(?P<id>[0-9]+)/$', people.person_detail, name="person_detail"),
|
url(r'^person/(?P<id>[0-9]+)/$', people.person_detail, name="person_detail"),
|
||||||
url(r'^person/(?P<id>[0-9]+)/edit$', people.person_edit, name="person_edit"),
|
url(r'^person/(?P<id>[0-9]+)/edit$', people.person_edit, name="person_edit"),
|
||||||
|
|
|
||||||
|
|
@ -49,7 +49,7 @@ def about(request):
|
||||||
if not request.user.is_anonymous:
|
if not request.user.is_anonymous:
|
||||||
return HttpResponseRedirect('/ja-pirat/')
|
return HttpResponseRedirect('/ja-pirat/')
|
||||||
|
|
||||||
return render(request, 'about.html', {})
|
return render(request, 'about.html')
|
||||||
|
|
||||||
|
|
||||||
def page_eurovolby_2019(request, reg_ok=False):
|
def page_eurovolby_2019(request, reg_ok=False):
|
||||||
|
|
@ -332,29 +332,16 @@ def follow_pirates(request):
|
||||||
|
|
||||||
|
|
||||||
def paluby(request):
|
def paluby(request):
|
||||||
|
return render(request, 'paluby.html')
|
||||||
|
|
||||||
template = 'paluby.html'
|
|
||||||
context = {
|
|
||||||
}
|
|
||||||
|
|
||||||
return render(request, template, context)
|
|
||||||
|
|
||||||
def posadky(request):
|
def posadky(request):
|
||||||
|
return render(request, 'posadky.html')
|
||||||
|
|
||||||
template = 'posadky.html'
|
|
||||||
context = {
|
|
||||||
}
|
|
||||||
|
|
||||||
return render(request, template, context)
|
|
||||||
|
|
||||||
@login_required(login_url="/prihlaseni")
|
@login_required(login_url="/prihlaseni")
|
||||||
def ja_pirat(request):
|
def ja_pirat(request):
|
||||||
|
return render(request, 'ja_pirat.html')
|
||||||
template = 'ja_pirat.html'
|
|
||||||
context = {
|
|
||||||
}
|
|
||||||
|
|
||||||
return render(request, template, context)
|
|
||||||
|
|
||||||
|
|
||||||
@ensure_csrf_cookie
|
@ensure_csrf_cookie
|
||||||
|
|
@ -376,8 +363,6 @@ def prihlaseni(request):
|
||||||
|
|
||||||
Pokud je uživatel již registrován (s nebo bez ověřeného emailu),
|
Pokud je uživatel již registrován (s nebo bez ověřeného emailu),
|
||||||
je mu zaslán přihlašovací odkaz na email. Použitím odkazu bude uživatel přihlášen.
|
je mu zaslán přihlašovací odkaz na email. Použitím odkazu bude uživatel přihlášen.
|
||||||
|
|
||||||
|
|
||||||
"""
|
"""
|
||||||
|
|
||||||
if not request.user.is_anonymous:
|
if not request.user.is_anonymous:
|
||||||
|
|
@ -456,15 +441,11 @@ def prihlaseni(request):
|
||||||
fs_email = ''
|
fs_email = ''
|
||||||
messages.error(request, "Zadali jste neplatnou emailovou adresu.")
|
messages.error(request, "Zadali jste neplatnou emailovou adresu.")
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
template = 'prihlaseni.html'
|
|
||||||
context = {
|
context = {
|
||||||
'AUTH_AVAIL_IDP' : appSettings.AUTH_AVAIL_IDP,
|
'AUTH_AVAIL_IDP' : appSettings.AUTH_AVAIL_IDP,
|
||||||
'fs_email' : fs_email,
|
'fs_email' : fs_email,
|
||||||
}
|
}
|
||||||
|
return render(request, 'prihlaseni.html', context)
|
||||||
return render(request, template, context)
|
|
||||||
|
|
||||||
|
|
||||||
@login_required(login_url="/prihlaseni")
|
@login_required(login_url="/prihlaseni")
|
||||||
|
|
@ -489,31 +470,9 @@ def profil(request):
|
||||||
|
|
||||||
_form = forms.AppUserSsoForm if request.user.ssoUid else forms.AppUserForm
|
_form = forms.AppUserSsoForm if request.user.ssoUid else forms.AppUserForm
|
||||||
|
|
||||||
def save_and_redirect(page):
|
|
||||||
request.user.save()
|
|
||||||
return HttpResponseRedirect(page)
|
|
||||||
|
|
||||||
# TODO :: check and enforce DB transaction to prevent race-condition attacks
|
# TODO :: check and enforce DB transaction to prevent race-condition attacks
|
||||||
if request.method == "GET":
|
if request.method == "GET":
|
||||||
|
|
||||||
# udeleni souhlasu se zpracovanim osobnich udaju
|
|
||||||
if request.GET.get('doConsent', None) is not None:
|
|
||||||
request.user.dc_stamp = datetime.now()
|
|
||||||
request.user.dc_undo_stamp = None
|
|
||||||
return save_and_redirect('/ja-pirat/profil/')
|
|
||||||
|
|
||||||
# odvolani souhlasu se zpracovanim osobnich udaju
|
|
||||||
if request.GET.get('undoConsent', None) is not None:
|
|
||||||
request.user.dc_stamp = None
|
|
||||||
request.user.dc_undo_stamp = datetime.now()
|
|
||||||
messages.info(request, "Odvolal/a jste souhlas se zpracováním osobních údajů.")
|
|
||||||
send_mail(
|
|
||||||
"Nalodeni: %s odvolal souhlas se zpracovanim osobnich udaju" % request.user.email,
|
|
||||||
"Stalo se tak {mydate}".format(mydate=request.user.dc_undo_stamp),
|
|
||||||
"nalodeni@pirati.cz", [appSettings.EMAIL_RECIPIENT_GDPR],
|
|
||||||
)
|
|
||||||
return save_and_redirect('/ja-pirat/profil/')
|
|
||||||
|
|
||||||
emailToken = request.GET.get('t', None)
|
emailToken = request.GET.get('t', None)
|
||||||
if emailToken:
|
if emailToken:
|
||||||
# user token from DB
|
# user token from DB
|
||||||
|
|
@ -552,6 +511,8 @@ def profil(request):
|
||||||
form = _form(instance=request.user)
|
form = _form(instance=request.user)
|
||||||
|
|
||||||
elif request.method == "POST":
|
elif request.method == "POST":
|
||||||
|
|
||||||
|
|
||||||
form = _form(request.POST, instance=request.user)
|
form = _form(request.POST, instance=request.user)
|
||||||
email_contact_orig = request.user.email_contact
|
email_contact_orig = request.user.email_contact
|
||||||
with request.user.audit_context(request.user) as audit:
|
with request.user.audit_context(request.user) as audit:
|
||||||
|
|
@ -593,6 +554,34 @@ def profil(request):
|
||||||
return render(request, 'profil.html', context)
|
return render(request, 'profil.html', context)
|
||||||
|
|
||||||
|
|
||||||
|
@ensure_csrf_cookie
|
||||||
|
@login_required(login_url="/prihlaseni")
|
||||||
|
@transaction.atomic
|
||||||
|
def souhlas(request):
|
||||||
|
""" Udeleni ci odvolani souhlasu se zpracovanim osobnich udaju """
|
||||||
|
|
||||||
|
if request.method == "POST":
|
||||||
|
|
||||||
|
if request.POST.get("action", None) == "yes":
|
||||||
|
messages.info(request, "Souhlasil/a jste se zpracováním osobních údajů. Děkujeme.")
|
||||||
|
request.user.dc_stamp = datetime.now()
|
||||||
|
request.user.dc_undo_stamp = None
|
||||||
|
request.user.save()
|
||||||
|
|
||||||
|
if request.POST.get("action", None) == "no":
|
||||||
|
request.user.dc_stamp = None
|
||||||
|
request.user.dc_undo_stamp = datetime.now()
|
||||||
|
messages.info(request, "Odvolal/a jste souhlas se zpracováním osobních údajů.")
|
||||||
|
send_mail(
|
||||||
|
"Nalodeni: %s odvolal souhlas se zpracovanim osobnich udaju" % request.user.email,
|
||||||
|
"Stalo se tak {mydate}".format(mydate=request.user.dc_undo_stamp),
|
||||||
|
"nalodeni@pirati.cz", [appSettings.EMAIL_RECIPIENT_GDPR],
|
||||||
|
)
|
||||||
|
request.user.save()
|
||||||
|
|
||||||
|
return HttpResponseRedirect('/ja-pirat/profil/')
|
||||||
|
|
||||||
|
|
||||||
@login_required(login_url="/prihlaseni")
|
@login_required(login_url="/prihlaseni")
|
||||||
@transaction.atomic
|
@transaction.atomic
|
||||||
def dotaznik(request):
|
def dotaznik(request):
|
||||||
|
|
@ -607,7 +596,6 @@ def dotaznik(request):
|
||||||
|
|
||||||
# TODO :: check and enforce DB transaction to prevent race-condition attacks
|
# TODO :: check and enforce DB transaction to prevent race-condition attacks
|
||||||
if request.method == "GET":
|
if request.method == "GET":
|
||||||
# create edit form
|
|
||||||
form = _form(instance=request.user.userform)
|
form = _form(instance=request.user.userform)
|
||||||
|
|
||||||
elif request.method == "POST":
|
elif request.method == "POST":
|
||||||
|
|
@ -649,7 +637,6 @@ def dotaznik2(request):
|
||||||
|
|
||||||
# TODO :: check and enforce DB transaction to prevent race-condition attacks
|
# TODO :: check and enforce DB transaction to prevent race-condition attacks
|
||||||
if request.method == "GET":
|
if request.method == "GET":
|
||||||
# create edit form
|
|
||||||
form = _form(instance=uf)
|
form = _form(instance=uf)
|
||||||
|
|
||||||
elif request.method == "POST":
|
elif request.method == "POST":
|
||||||
|
|
@ -690,7 +677,6 @@ def dotaznik_follow(request):
|
||||||
|
|
||||||
# TODO :: check and enforce DB transaction to prevent race-condition attacks
|
# TODO :: check and enforce DB transaction to prevent race-condition attacks
|
||||||
if request.method == "GET":
|
if request.method == "GET":
|
||||||
# create edit form
|
|
||||||
form = _form(instance=uf)
|
form = _form(instance=uf)
|
||||||
|
|
||||||
elif request.method == "POST":
|
elif request.method == "POST":
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue