From 26f334fd634b239d32aad97ac8fbc039357fa58f Mon Sep 17 00:00:00 2001 From: gowtham Date: Sun, 12 Dec 2021 20:13:47 +0530 Subject: [PATCH] Removed Security Leaks --- CDC_Backend/APIs/studentViews.py | 6 +++++- CDC_Backend/APIs/utils.py | 10 +++++----- 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/CDC_Backend/APIs/studentViews.py b/CDC_Backend/APIs/studentViews.py index 0ea1824..79504fc 100644 --- a/CDC_Backend/APIs/studentViews.py +++ b/CDC_Backend/APIs/studentViews.py @@ -99,6 +99,10 @@ def deleteResume(request, id, email, user_type): try: student = get_object_or_404(Student, id=id) file_name = request.data[RESUME_FILE_NAME] + if file_name not in student.resumes: + return Response({'action': "Delete Resume", 'message': "Resume Not Found"}, + status=status.HTTP_404_NOT_FOUND) + destination_path = STORAGE_DESTINATION_RESUMES + id + "/" + str(file_name) if path.exists(destination_path): remove(destination_path) @@ -112,7 +116,7 @@ def deleteResume(request, id, email, user_type): return Response({'action': "Delete Resume", 'message': 'Student Not Found'}, status=status.HTTP_404_NOT_FOUND) except FileNotFoundError as e: - return Response({'action': "Delete Resume", 'message': str(e)}, + return Response({'action': "Delete Resume", 'message': 'File Not Found'}, status=status.HTTP_404_NOT_FOUND) except: logger.warning("Delete Resume: " + str(sys.exc_info())) diff --git a/CDC_Backend/APIs/utils.py b/CDC_Backend/APIs/utils.py index 496d52c..b35dd17 100644 --- a/CDC_Backend/APIs/utils.py +++ b/CDC_Backend/APIs/utils.py @@ -48,7 +48,7 @@ def precheck(required_data=None): return view_func(request, *args, **kwargs) except: - return Response({'action': "Pre check", 'message': "Error Occurred " + str(sys.exc_info())}, + return Response({'action': "Pre check", 'message': "Something went wrong"}, status=status.HTTP_400_BAD_REQUEST) return wrapper_func @@ -79,15 +79,15 @@ def isAuthorized(allowed_users=None): else: raise PermissionError("Authorization Header Not Found") - except PermissionError as e: - return Response({'action': "Is Authorized?", 'message': str(e)}, + except PermissionError: + return Response({'action': "Is Authorized?", 'message': 'Access Denied'}, status=status.HTTP_401_UNAUTHORIZED) except Http404: return Response({'action': "Is Authorized?", 'message': "User Not Found. Contact CDC for more details"}, status=status.HTTP_404_NOT_FOUND) except ValueError as e: - logger.warning("Problem with Google Oauth2.0 " + str(e)) - return Response({'action': "Is Authorized?", 'message': str(e)}, + logger.error("Problem with Google Oauth2.0 " + str(e)) + return Response({'action': "Is Authorized?", 'message': 'Problem with Google Sign In'}, status=status.HTTP_401_UNAUTHORIZED) except: logger.warning("Is Authorized? " + str(sys.exc_info()))