##// END OF EJS Templates
security: escape always the provided user data like firstname/lastname.
marcink -
r1780:73cbe636 default
parent child Browse files
Show More
@@ -30,21 +30,21 b' from pylons.i18n.translation import _'
30
30
31 import ipaddress
31 import ipaddress
32 from sqlalchemy.exc import DatabaseError
32 from sqlalchemy.exc import DatabaseError
33 from sqlalchemy.sql.expression import true, false
34
33
35 from rhodecode import events
34 from rhodecode import events
36 from rhodecode.lib.user_log_filter import user_log_filter
35 from rhodecode.lib.user_log_filter import user_log_filter
37 from rhodecode.lib.utils2 import (
36 from rhodecode.lib.utils2 import (
38 safe_unicode, get_current_rhodecode_user, action_logger_generic,
37 safe_unicode, get_current_rhodecode_user, action_logger_generic,
39 AttributeDict, str2bool)
38 AttributeDict, str2bool)
39 from rhodecode.lib.exceptions import (
40 DefaultUserException, UserOwnsReposException, UserOwnsRepoGroupsException,
41 UserOwnsUserGroupsException, NotAllowedToCreateUserError)
40 from rhodecode.lib.caching_query import FromCache
42 from rhodecode.lib.caching_query import FromCache
41 from rhodecode.model import BaseModel
43 from rhodecode.model import BaseModel
42 from rhodecode.model.auth_token import AuthTokenModel
44 from rhodecode.model.auth_token import AuthTokenModel
43 from rhodecode.model.db import (_hash_key,
45 from rhodecode.model.db import (
44 or_, joinedload, User, UserToPerm, UserEmailMap, UserIpMap, UserLog)
46 _hash_key, true, false, or_, joinedload, User, UserToPerm,
45 from rhodecode.lib.exceptions import (
47 UserEmailMap, UserIpMap, UserLog)
46 DefaultUserException, UserOwnsReposException, UserOwnsRepoGroupsException,
47 UserOwnsUserGroupsException, NotAllowedToCreateUserError)
48 from rhodecode.model.meta import Session
48 from rhodecode.model.meta import Session
49 from rhodecode.model.repo_group import RepoGroupModel
49 from rhodecode.model.repo_group import RepoGroupModel
50
50
@@ -70,12 +70,12 b' class UserModel(BaseModel):'
70
70
71 return {
71 return {
72 'id': user.user_id,
72 'id': user.user_id,
73 'first_name': user.name,
73 'first_name': h.escape(user.name),
74 'last_name': user.lastname,
74 'last_name': h.escape(user.lastname),
75 'username': user.username,
75 'username': user.username,
76 'email': user.email,
76 'email': user.email,
77 'icon_link': h.gravatar_url(user.email, 30),
77 'icon_link': h.gravatar_url(user.email, 30),
78 'value_display': h.person(user),
78 'value_display': h.escape(h.person(user)),
79 'value': user.username,
79 'value': user.username,
80 'value_type': 'user',
80 'value_type': 'user',
81 'active': user.active,
81 'active': user.active,
@@ -28,16 +28,17 b' import logging'
28 import traceback
28 import traceback
29
29
30 from rhodecode.lib.utils2 import safe_str, safe_unicode
30 from rhodecode.lib.utils2 import safe_str, safe_unicode
31 from rhodecode.lib.exceptions import (
32 UserGroupAssignedException, RepoGroupAssignmentError)
33 from rhodecode.lib.utils2 import (
34 get_current_rhodecode_user, action_logger_generic)
31 from rhodecode.model import BaseModel
35 from rhodecode.model import BaseModel
32 from rhodecode.model.scm import UserGroupList
36 from rhodecode.model.scm import UserGroupList
33 from rhodecode.model.db import (
37 from rhodecode.model.db import (
34 true, func, User, UserGroupMember, UserGroup,
38 true, func, User, UserGroupMember, UserGroup,
35 UserGroupRepoToPerm, Permission, UserGroupToPerm, UserUserGroupToPerm,
39 UserGroupRepoToPerm, Permission, UserGroupToPerm, UserUserGroupToPerm,
36 UserGroupUserGroupToPerm, UserGroupRepoGroupToPerm)
40 UserGroupUserGroupToPerm, UserGroupRepoGroupToPerm)
37 from rhodecode.lib.exceptions import (
41
38 UserGroupAssignedException, RepoGroupAssignmentError)
39 from rhodecode.lib.utils2 import (
40 get_current_rhodecode_user, action_logger_generic)
41
42
42 log = logging.getLogger(__name__)
43 log = logging.getLogger(__name__)
43
44
General Comments 0
You need to be logged in to leave comments. Login now