Fixed: jazzband/django-silk#10

yaroslav0114 · Jun 10, 2014 · 7e59a56 · 7e59a56
1 parent 98814ba
commit 7e59a56
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 6 deletions.
diff --git a/django_silky/django_silky/settings.py b/django_silky/django_silky/settings.py
@@ -113,5 +113,5 @@
 LOGIN_REDIRECT_URL = '/'
 
 SILKY_META = True
-SILKY_AUTHENTICATION = True
-SILKY_AUTHORISATION = True
+# SILKY_AUTHENTICATION = True
+# SILKY_AUTHORISATION = True
diff --git a/django_silky/silk/tests/test_view_sql_detail.py b/django_silky/silk/tests/test_view_sql_detail.py
@@ -0,0 +1,50 @@
+import os
+import random
+
+from django.core.urlresolvers import reverse
+from django.test import TestCase
+
+from silk.views.sql_detail import SQLDetailView
+
+from silk.tests import MockSuite
+
+
+class TestViewSQLDetail(TestCase):
+    def test_allowed_file_paths_nothing_specified(self):
+        """by default we dont display any source, and it should return correctly"""
+        request = MockSuite().mock_request()
+        query = MockSuite().mock_sql_queries(request=request, n=1)[0]
+        response = self.client.get(reverse('silk:request_sql_detail', kwargs={'sql_id': query.id, 'request_id': request.id}))
+        self.assertTrue(response.status_code == 200)
+
+    def test_allowed_file_paths_available_source(self):
+        """if we request to view source that exists in the TB all should be fine"""
+        request = MockSuite().mock_request()
+        query = MockSuite().mock_sql_queries(request=request, n=1)[0]
+        tb = query.traceback_ln_only
+        _, files = SQLDetailView()._urlify(tb)
+        file_path = random.choice(files)
+        with open(file_path, 'r') as f:
+            line_num = random.randint(0, len(f.read().split('\n')))
+        response = self.client.get(reverse('silk:request_sql_detail',
+                                           kwargs={'sql_id': query.id, 'request_id': request.id}),
+                                   data={
+                                       'line_num': line_num,
+                                       'file_path': file_path
+                                   })
+        self.assertTrue(response.status_code == 200)
+
+    def test_allowed_file_paths_unavailable_source(self):
+        """if we request to view source that is not in the tracebackk we should get a 403"""
+        request = MockSuite().mock_request()
+        query = MockSuite().mock_sql_queries(request=request, n=1)[0]
+        file_path = os.path.realpath(os.path.dirname(os.path.realpath(__file__)) + '/../../django_silky/settings.py')
+        with open(file_path, 'r') as f:
+            line_num = random.randint(0, len(f.read().split('\n')))
+        response = self.client.get(reverse('silk:request_sql_detail',
+                                           kwargs={'sql_id': query.id, 'request_id': request.id}),
+                                   data={
+                                       'line_num': line_num,
+                                       'file_path': file_path
+                                   })
+        self.assertTrue(response.status_code == 403)
diff --git a/django_silky/silk/views/sql_detail.py b/django_silky/silk/views/sql_detail.py
@@ -1,11 +1,12 @@
 import re
+from django.core.exceptions import PermissionDenied
 
 from django.shortcuts import render_to_response
 from django.utils.decorators import method_decorator
 from django.utils.safestring import mark_safe
 from django.views.generic import View
-from silk.auth import login_possibly_required, permissions_possibly_required
 
+from silk.auth import login_possibly_required, permissions_possibly_required
 from silk.models import SQLQuery, Request, Profile
 
 
@@ -19,7 +20,7 @@ def _code(file_path, line_num, end_line_num=None):
         for i, line in enumerate(f):
             if i in r:
                 lines += line
-            if i + 1 in range(line_num, end_line_num+1):
+            if i + 1 in range(line_num, end_line_num + 1):
                 actual_line.append(line)
     code = lines.split('\n')
     return actual_line, code
@@ -33,12 +34,14 @@ def _code_context(file_path, line_num):
 
 class SQLDetailView(View):
     def _urlify(self, str):
+        files = []
         r = re.compile("(?P<src>/.*\.py)\", line (?P<num>[0-9]+).*")
         m = r.search(str)
         n = 1
         while m:
             group = m.groupdict()
             src = group['src']
+            files.append(src)
             num = group['num']
             start = m.start('src')
             end = m.end('src')
@@ -49,7 +52,7 @@ def _urlify(self, str):
             str = str[:start] + rep + str[end:]
             m = r.search(str)
             n += 1
-        return str
+        return str, files
 
     @method_decorator(login_possibly_required)
     @method_decorator(permissions_possibly_required)
@@ -62,7 +65,10 @@ def get(self, request, *_, **kwargs):
         file_path = request.GET.get('file_path', '')
         line_num = int(request.GET.get('line_num', 0))
         tb = sql_query.traceback_ln_only
-        tb = [mark_safe(x) for x in self._urlify(tb).split('\n')]
+        str, files = self._urlify(tb)
+        if file_path and not file_path in files:
+            raise PermissionDenied
+        tb = [mark_safe(x) for x in str.split('\n')]
         context = {
             'sql_query': sql_query,
             'traceback': tb,