Merge pull request #2222 from bookwyrm-social/redirects

Removes insecure redirects

bookwyrm/views/goal.py

@@ -70,7 +70,7 @@ def post(self, request, username, year):
                 privacy=goal.privacy,
             )
 
-        return redirect(request.headers.get("Referer", "/"))
+        return redirect("user-goal", request.user.localname, year)
 
 
 @require_POST
@@ -79,4 +79,4 @@ def hide_goal(request):
     """don't keep bugging people to set a goal"""
     request.user.show_goal = False
     request.user.save(broadcast=False, update_fields=["show_goal"])
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")

bookwyrm/views/interaction.py

@@ -28,7 +28,7 @@ def post(self, request, status_id):
 
         if is_api_request(request):
             return HttpResponse()
-        return redirect(request.headers.get("Referer", "/"))
+        return redirect("/")
 
 
 @method_decorator(login_required, name="dispatch")
@@ -48,7 +48,7 @@ def post(self, request, status_id):
         favorite.delete()
         if is_api_request(request):
             return HttpResponse()
-        return redirect(request.headers.get("Referer", "/"))
+        return redirect("/")
 
 
 @method_decorator(login_required, name="dispatch")
@@ -67,7 +67,7 @@ def post(self, request, status_id):
             boosted_status=status, user=request.user
         ).exists():
             # you already boosted that.
-            return redirect(request.headers.get("Referer", "/"))
+            return redirect("/")
 
         models.Boost.objects.create(
             boosted_status=status,
@@ -76,7 +76,7 @@ def post(self, request, status_id):
         )
         if is_api_request(request):
             return HttpResponse()
-        return redirect(request.headers.get("Referer", "/"))
+        return redirect("/")
 
 
 @method_decorator(login_required, name="dispatch")
@@ -94,4 +94,4 @@ def post(self, request, status_id):
         boost.delete()
         if is_api_request(request):
             return HttpResponse()
-        return redirect(request.headers.get("Referer", "/"))
+        return redirect("/")

bookwyrm/views/reading.py

@@ -79,13 +79,11 @@ def post(self, request, status, book_id):
         current_status_shelfbook = shelves[0] if shelves else None
 
         # checking the referer prevents redirecting back to the modal page
-        referer = request.headers.get("Referer", "/")
-        referer = "/" if "reading-status" in referer else referer
         if current_status_shelfbook is not None:
             if current_status_shelfbook.shelf.identifier != desired_shelf.identifier:
                 current_status_shelfbook.delete()
             else:  # It already was on the shelf
-                return redirect(referer)
+                return redirect("/")
 
         models.ShelfBook.objects.create(
             book=book, shelf=desired_shelf, user=request.user
@@ -123,7 +121,7 @@ def post(self, request, status, book_id):
         if is_api_request(request):
             return HttpResponse()
 
-        return redirect(referer)
+        return redirect("/")
 
 
 @method_decorator(login_required, name="dispatch")
@@ -205,7 +203,7 @@ def delete_readthrough(request):
     readthrough.raise_not_deletable(request.user)
 
     readthrough.delete()
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")
 
 
 @login_required
@@ -216,4 +214,4 @@ def delete_progressupdate(request):
     update.raise_not_deletable(request.user)
 
     update.delete()
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")

bookwyrm/views/shelf/shelf_actions.py

@@ -13,7 +13,7 @@ def create_shelf(request):
     """user generated shelves"""
     form = forms.ShelfForm(request.POST)
     if not form.is_valid():
-        return redirect(request.headers.get("Referer", "/"))
+        return redirect("user-shelves", request.user.localname)
 
     shelf = form.save()
     return redirect(shelf.local_path)
@@ -70,7 +70,7 @@ def shelve(request):
             ):
                 current_read_status_shelfbook.delete()
             else:  # It is already on the shelf
-                return redirect(request.headers.get("Referer", "/"))
+                return redirect("/")
 
         # create the new shelf-book entry
         models.ShelfBook.objects.create(
@@ -86,7 +86,7 @@ def shelve(request):
         # Might be good to alert, or reject the action?
         except IntegrityError:
             pass
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")
 
 
 @login_required
@@ -100,4 +100,4 @@ def unshelve(request, book_id=False):
     )
     shelf_book.raise_not_deletable(request.user)
     shelf_book.delete()
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")

bookwyrm/views/status.py

@@ -82,7 +82,7 @@ def post(self, request, status_type, existing_status_id=None):
             if is_api_request(request):
                 logger.exception(form.errors)
                 return HttpResponseBadRequest()
-            return redirect(request.headers.get("Referer", "/"))
+            return redirect("/")
 
         status = form.save(commit=False)
         # save the plain, unformatted version of the status for future editing
@@ -146,7 +146,7 @@ def post(self, request, status_id):
 
         # perform deletion
         status.delete()
-        return redirect(request.headers.get("Referer", "/"))
+        return redirect("/")
 
 
 @login_required
@@ -195,7 +195,7 @@ def edit_readthrough(request):
 
     if is_api_request(request):
         return HttpResponse()
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")
 
 
 def find_mentions(content):

bookwyrm/views/user.py

@@ -164,7 +164,7 @@ def hide_suggestions(request):
     """not everyone wants user suggestions"""
     request.user.show_suggested_users = False
     request.user.save(broadcast=False, update_fields=["show_suggested_users"])
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")
 
 
 # pylint: disable=unused-argument