Merge pull request #62 from CDC-IITDH/removed-security-leaks

Removed Security Leaks
2021-12-12 20:15:55 +05:30 · 2021-12-12 20:15:55 +05:30 · d99c8ab5d9
parent 89f96fae2d b314ff44bc
commit d99c8ab5d9
2 changed files with 10 additions and 6 deletions
--- a/CDC_Backend/APIs/studentViews.py
+++ b/CDC_Backend/APIs/studentViews.py
@ -99,6 +99,10 @@ def deleteResume(request, id, email, user_type):
    try:
        student = get_object_or_404(Student, id=id)
        file_name = request.data[RESUME_FILE_NAME]
+        if file_name not in student.resumes:
+            return Response({'action': "Delete Resume", 'message': "Resume Not Found"},
+                            status=status.HTTP_404_NOT_FOUND)
+
        destination_path = STORAGE_DESTINATION_RESUMES + id + "/" + str(file_name)
        if path.exists(destination_path):
            remove(destination_path)
@ -112,7 +116,7 @@ def deleteResume(request, id, email, user_type):
        return Response({'action': "Delete Resume", 'message': 'Student Not Found'},
                        status=status.HTTP_404_NOT_FOUND)
    except FileNotFoundError as e:
-        return Response({'action': "Delete Resume", 'message': str(e)},
+        return Response({'action': "Delete Resume", 'message': 'File Not Found'},
                        status=status.HTTP_404_NOT_FOUND)
    except:
        logger.warning("Delete Resume: " + str(sys.exc_info()))
--- a/CDC_Backend/APIs/utils.py
+++ b/CDC_Backend/APIs/utils.py
@ -48,7 +48,7 @@ def precheck(required_data=None):

                return view_func(request, *args, **kwargs)
            except:
-                return Response({'action': "Pre check", 'message': "Error Occurred " + str(sys.exc_info())},
+                return Response({'action': "Pre check", 'message': "Something went wrong"},
                                status=status.HTTP_400_BAD_REQUEST)

        return wrapper_func
@ -79,15 +79,15 @@ def isAuthorized(allowed_users=None):
                else:
                    raise PermissionError("Authorization Header Not Found")

-            except PermissionError as e:
-                return Response({'action': "Is Authorized?", 'message': str(e)},
+            except PermissionError:
+                return Response({'action': "Is Authorized?", 'message': 'Access Denied'},
                                status=status.HTTP_401_UNAUTHORIZED)
            except Http404:
                return Response({'action': "Is Authorized?", 'message': "User Not Found. Contact CDC for more details"},
                                status=status.HTTP_404_NOT_FOUND)
            except ValueError as e:
-                logger.warning("Problem with Google Oauth2.0 " + str(e))
-                return Response({'action': "Is Authorized?", 'message': str(e)},
+                logger.error("Problem with Google Oauth2.0 " + str(e))
+                return Response({'action': "Is Authorized?", 'message': 'Problem with Google Sign In'},
                                status=status.HTTP_401_UNAUTHORIZED)
            except:
                logger.warning("Is Authorized? " + str(sys.exc_info()))