Sicherheitslücke bei Rechnungsansicht geschlossen
This commit is contained in:
holger.trampe
parent
e77b907f12
commit
0cc8664d09
|
|
@ -287,7 +287,6 @@ def GetBill(request, pk):
|
|||
'fileid' : json.loads(r.text)["documentFileId"]
|
||||
}
|
||||
|
||||
|
||||
return render(request, 'dasettings/bill_single.html', context)
|
||||
|
||||
import io as BytesIO
|
||||
|
|
@ -296,30 +295,36 @@ from django.http import HttpResponse
|
|||
|
||||
@login_required
|
||||
def GetBillPDF(request, pk):
|
||||
bill = AgencyBills.objects.get(pk=pk)
|
||||
# Sicherheitscheck, ob der angefragte User zur Agentur gehört und das Recht hat, Agenturinfos zu bearbeiten
|
||||
if bill.agency == request.user.profile.agency and request.user.has_perm("users.agencyinfo"):
|
||||
headers = {
|
||||
'Authorization': 'Bearer ' + settings.LEX_API,
|
||||
'Content-Type': 'application/json',
|
||||
'Accept': 'application/json',
|
||||
}
|
||||
|
||||
lexdata = {
|
||||
"renderType" : "pdf"
|
||||
}
|
||||
json_data = json.dumps(lexdata)
|
||||
|
||||
r = requests.get("https://api.lexoffice.io/v1/invoices/"+bill.lexid+"/document", data=json_data, headers=headers)
|
||||
json.loads(r.text)
|
||||
|
||||
base64String = requests.get("https://api.lexoffice.io/v1/files/"+json.loads(r.text)["documentFileId"]+"/", data=json_data, headers=headers)
|
||||
|
||||
buffer = BytesIO.BytesIO()
|
||||
content = base64.b64decode(base64String.text)
|
||||
buffer.write(content)
|
||||
|
||||
response = HttpResponse(buffer.getvalue(),content_type="application/pdf")
|
||||
response['Content-Disposition'] = 'inline;filename=some_file.pdf'
|
||||
return response
|
||||
else:
|
||||
messages.warning(request, f'Diese Daten sind für Sie nicht einsehbar.')
|
||||
return redirect("dasettings")
|
||||
|
||||
headers = {
|
||||
'Authorization': 'Bearer ' + settings.LEX_API,
|
||||
'Content-Type': 'application/json',
|
||||
'Accept': 'application/json',
|
||||
}
|
||||
|
||||
lexdata = {
|
||||
"renderType" : "pdf"
|
||||
}
|
||||
json_data = json.dumps(lexdata)
|
||||
|
||||
r = requests.get("https://api.lexoffice.io/v1/invoices/"+AgencyBills.objects.get(pk=pk).lexid+"/document", data=json_data, headers=headers)
|
||||
json.loads(r.text)
|
||||
|
||||
base64String = requests.get("https://api.lexoffice.io/v1/files/"+json.loads(r.text)["documentFileId"]+"/", data=json_data, headers=headers)
|
||||
|
||||
buffer = BytesIO.BytesIO()
|
||||
content = base64.b64decode(base64String.text)
|
||||
buffer.write(content)
|
||||
|
||||
response = HttpResponse(buffer.getvalue(),content_type="application/pdf")
|
||||
response['Content-Disposition'] = 'inline;filename=some_file.pdf'
|
||||
return response
|
||||
|
||||
|
||||
'''
|
||||
|
|
|
|||
Loading…
Reference in New Issue