DigitaleAgentur___ALT
/
digitaleagenturnc
5
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Sicherheitslücke bei Rechnungsansicht geschlossen

This commit is contained in:
holger.trampe 2020-10-02 11:39:31 +02:00
parent e77b907f12
commit 0cc8664d09
1 changed files with 29 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
dasettings/views.py
View File

@ -287,7 +287,6 @@ def GetBill(request, pk):
'fileid' : json.loads(r.text)["documentFileId"] 'fileid' : json.loads(r.text)["documentFileId"]
} }
return render(request, 'dasettings/bill_single.html', context) return render(request, 'dasettings/bill_single.html', context)
import io as BytesIO import io as BytesIO
@ -296,30 +295,36 @@ from django.http import HttpResponse
@login_required @login_required
def GetBillPDF(request, pk): def GetBillPDF(request, pk):
bill = AgencyBills.objects.get(pk=pk)
# Sicherheitscheck, ob der angefragte User zur Agentur gehört und das Recht hat, Agenturinfos zu bearbeiten
if bill.agency == request.user.profile.agency and request.user.has_perm("users.agencyinfo"):
headers = {
'Authorization': 'Bearer ' + settings.LEX_API,
'Content-Type': 'application/json',
'Accept': 'application/json',
}
lexdata = {
"renderType" : "pdf"
}
json_data = json.dumps(lexdata)
r = requests.get("https://api.lexoffice.io/v1/invoices/"+bill.lexid+"/document", data=json_data, headers=headers)
json.loads(r.text)
base64String = requests.get("https://api.lexoffice.io/v1/files/"+json.loads(r.text)["documentFileId"]+"/", data=json_data, headers=headers)
buffer = BytesIO.BytesIO()
content = base64.b64decode(base64String.text)
buffer.write(content)
response = HttpResponse(buffer.getvalue(),content_type="application/pdf")
response['Content-Disposition'] = 'inline;filename=some_file.pdf'
return response
else:
messages.warning(request, f'Diese Daten sind für Sie nicht einsehbar.')
return redirect("dasettings")
headers = {
'Authorization': 'Bearer ' + settings.LEX_API,
'Content-Type': 'application/json',
'Accept': 'application/json',
}
lexdata = {
"renderType" : "pdf"
}
json_data = json.dumps(lexdata)
r = requests.get("https://api.lexoffice.io/v1/invoices/"+AgencyBills.objects.get(pk=pk).lexid+"/document", data=json_data, headers=headers)
json.loads(r.text)
base64String = requests.get("https://api.lexoffice.io/v1/files/"+json.loads(r.text)["documentFileId"]+"/", data=json_data, headers=headers)
buffer = BytesIO.BytesIO()
content = base64.b64decode(base64String.text)
buffer.write(content)
response = HttpResponse(buffer.getvalue(),content_type="application/pdf")
response['Content-Disposition'] = 'inline;filename=some_file.pdf'
return response
''' '''